A real Internet worm attack active again ... / 2011-08-29

Koos van den Hout

2011-08-29 A real Internet worm attack active again ... 10 years ago

A real Internet worm attack active again, giving me lots of tcp/3389 attempts in the firewall logs.

Aug 28 10:49:54 greenblatt kernel: [2779836.731355] FW reject: IN=ppp0 OUT= MAC= SRC=87.126.80.33 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=18577 DF PROTO=TCP SPT=2150 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0 
Aug 28 10:49:54 greenblatt kernel: [2779836.932856] FW reject: IN=ppp0 OUT= MAC= SRC=87.126.80.33 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=18701 DF PROTO=TCP SPT=2150 DPT=3389 WINDOW=65535 RES=0x00 SYN URGP=0 
Aug 28 11:11:33 greenblatt kernel: [2780369.772706] FW reject: IN=ppp0 OUT= MAC= SRC=184.22.73.103 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=256 PROTO=TCP SPT=6000 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0 
Aug 28 15:37:32 greenblatt kernel: [2786904.189671] FW reject: IN=ppp0 OUT= MAC= SRC=60.190.1.15 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=256 PROTO=TCP SPT=6587 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0

Described in detail at Windows Remote Desktop worm "Morto" spreading - F-secure weblog.

Found via Worm spreading via RDP - The Register.