Am I getting attacked on port 3389?

M

mouthfeel

n00b
Joined
Jun 23, 2013
Messages
1
Hi all,

Thanks in advance for helping me out.

I was hoping someone could take a look at the linked screenshot

https://dl.dropboxusercontent.com/u/24418594/networkshot.jpg

It appears someone or something from China, Iceland, and other outside country IPs are trying to connect on port 3389. I know port 3389 is used for RDP and I can tell you there is no need for this service on this particular network. The foreign IPs and RDP leads me to believe something malicious is being attempted. Is the firewall doing it's job? Should I be worried? Should I simply block every foreign IP I see?

What has me confused is:

- Port 3389 should be closed, but it's still being attacked?
- The device ending in .115 is an android device and has since been removed from the network. Why would an android device be targeted?
- What exactly does "SYN_SENT" mean? Should I only be worried is a connected gets "ESTABLISHED"?

THANK YOU for the help. I've been stressing all week!
 
mouthfeel said:
Hi all,

Thanks in advance for helping me out.

I was hoping someone could take a look at the linked screenshot

https://dl.dropboxusercontent.com/u/24418594/networkshot.jpg

It appears someone or something from China, Iceland, and other outside country IPs are trying to connect on port 3389. I know port 3389 is used for RDP and I can tell you there is no need for this service on this particular network. The foreign IPs and RDP leads me to believe something malicious is being attempted. Is the firewall doing it's job? Should I be worried? Should I simply block every foreign IP I see?

What has me confused is:

- Port 3389 should be closed, but it's still being attacked?
- The device ending in .115 is an android device and has since been removed from the network. Why would an android device be targeted?
- What exactly does "SYN_SENT" mean? Should I only be worried is a connected gets "ESTABLISHED"?

THANK YOU for the help. I've been stressing all week!
Click to expand...

Looks suspicious. Although I can't say for certain what it is. You could always set up a honey pot with netcat on 3389 and let it accept incoming connections and see what the ip's are sending.

SYN is the first process of a TCP handshake. In order for 2 computers to connect over TCP they have to handshake via a SYN -> SYN ACK -> ACK process. SYN_SENT just means that IP tried to handshake (or 'connect' basically) on 3389.
 
If you don't have RDP open to the outside (which would be VERY stupid to do) then you are ok. I'd still mess around with it for fun to see what you can find out though.
 
Looks like you are to me. Also check out requests for port 5900, that is used by VNC, another remote desktop program.
 
Looks like a botnet trying common access ports, 3389 - RDP, 5900 - VNC, maybe other services as well. We'd need a larger sample to tell. If you must have Port 3389 open, then lock access to it down from a specific IP and bounce to it from that.
 
You must log in or register to reply here.
Back
Top