Russell Fulton | 15 Mar 19:06 2012
Picon
Picon

ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt 2014384

I am seeing lots of hit on this one.  I've traced some of them to Moto which terminates TCP sessions with a RST :(

 10	268911979	2012-03-15 19:03:03	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
10	268911985	2012-03-15 19:03:09	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
10	268911991	2012-03-15 19:03:16	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
10	268911996	2012-03-15 19:03:23	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
10	268912001	2012-03-15 19:03:29	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
10	268912005	2012-03-15 19:03:36	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
10	268912007	2012-03-15 19:03:43	ET SCAN Behavioral Unusually fast Terminal Server Traffic,
Potential Scan or Infection	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	52
10	268912008	2012-03-15 19:03:43	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71

others appear to be slowly probing random addresses:

   21:01:46.866076  e         tcp        1.192.145.6.80        ?>     130.216.151.82.3389          2        120    A_
   21:01:46.866078  e        icmp        1.192.145.6.8         ->     130.216.151.82.24422         1         74   ECO
   21:01:46.866080  e s       tcp        1.192.145.6.4935      ->     130.216.151.82.3389          5        300   SR_
   21:01:51.876360  e        icmp        1.192.145.6.8         ->     130.216.151.82.24422         1         74   ECO
   21:15:04.302881  e s       tcp        1.192.145.6.4627      ->    130.216.170.131.3389          4        240   SR_
   21:15:04.302971  e         tcp        1.192.145.6.80        ?>    130.216.170.131.3389          2        120    A_
   21:15:04.302990  e        icmp        1.192.145.6.8         ->    130.216.170.131.54030         1         74   ECO
   21:15:09.313525  e        icmp        1.192.145.6.8         ->    130.216.170.131.54030         1         74   ECO
   21:23:48.732839  e        icmp        1.192.145.6.8         ->    130.216.135.219.47959         1         74   ECO
(Continue reading)

Matthew Jonkman | 15 Mar 22:15 2012

Re: ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt 2014384

How are hits on the current version of the detection, which is 3 sigs?

That should eliminate the hits on a normal session ending in a reset. It'll only fire now if the reset happens
prior to session established.

Matt

On Mar 15, 2012, at 2:06 PM, Russell Fulton wrote:

> I am seeing lots of hit on this one.  I've traced some of them to Moto which terminates TCP sessions with a RST :(
> 
> 10	268911979	2012-03-15 19:03:03	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
> 10	268911985	2012-03-15 19:03:09	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
> 10	268911991	2012-03-15 19:03:16	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
> 10	268911996	2012-03-15 19:03:23	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
> 10	268912001	2012-03-15 19:03:29	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
> 10	268912005	2012-03-15 19:03:36	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
> 10	268912007	2012-03-15 19:03:43	ET SCAN Behavioral Unusually fast Terminal Server Traffic,
Potential Scan or Infection	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	52
> 10	268912008	2012-03-15 19:03:43	ET TROJAN MS Terminal Server User A Login, possible Morto
inbound	1.202.237.163 None	130.216.189.57 ssdash.org.nz	6	71
> 
> others appear to be slowly probing random addresses:
> 
(Continue reading)


Gmane