This mornings activity log shows this:
. . . From 23.102.132.99 - 2 packets to tcp(3389) From 23.102.133.164 - 1 packet to tcp(3389) From 23.102.134.239 - 2 packets to tcp(3389) From 23.102.136.210 - 3 packets to tcp(3389) From 23.102.136.222 - 2 packets to tcp(3389) From 23.102.137.62 - 3 packets to tcp(3389) From 23.102.137.101 - 2 packets to tcp(3389) From 23.102.138.184 - 1 packet to tcp(3389) From 23.102.138.216 - 1 packet to tcp(3389) From 23.102.139.11 - 2 packets to tcp(3389) From 23.102.139.27 - 5 packets to tcp(3389) From 23.102.140.90 - 2 packets to tcp(3389) From 23.102.140.158 - 3 packets to tcp(3389) From 23.102.161.114 - 1 packet to tcp(3389) From 23.102.170.1 - 2 packets to tcp(3389) From 23.102.170.48 - 4 packets to tcp(3389) From 23.102.171.49 - 2 packets to tcp(3389) From 23.102.172.233 - 2 packets to tcp(3389) From 23.102.173.124 - 2 packets to tcp(3389) . . .
These are either mostly or entirely MicroSoft.com addresses. Any ideas as to what legitimate use this probing might have? I know that 3389 is MS-RDP. My question is why would a 'reputable' firm be scanning my systems for open connections on that port?
James B. Byrne wrote on Wed, 20 Aug 2014 11:06:20 -0400:
23.102.173.124
Google says: http://security.stackexchange.com/questions/26486/failed-rdp -brute-force-attack-from-microsoft-ip-address
Kai
On Aug 20, 2014, at 9:06, James B. Byrne byrnejb@harte-lyne.ca wrote:
This mornings activity log shows this:
. . . From 23.102.132.99 - 2 packets to tcp(3389) From 23.102.133.164 - 1 packet to tcp(3389) From 23.102.134.239 - 2 packets to tcp(3389) From 23.102.136.210 - 3 packets to tcp(3389) From 23.102.136.222 - 2 packets to tcp(3389) From 23.102.137.62 - 3 packets to tcp(3389) From 23.102.137.101 - 2 packets to tcp(3389) From 23.102.138.184 - 1 packet to tcp(3389) From 23.102.138.216 - 1 packet to tcp(3389) From 23.102.139.11 - 2 packets to tcp(3389) From 23.102.139.27 - 5 packets to tcp(3389) From 23.102.140.90 - 2 packets to tcp(3389) From 23.102.140.158 - 3 packets to tcp(3389) From 23.102.161.114 - 1 packet to tcp(3389) From 23.102.170.1 - 2 packets to tcp(3389) From 23.102.170.48 - 4 packets to tcp(3389) From 23.102.171.49 - 2 packets to tcp(3389) From 23.102.172.233 - 2 packets to tcp(3389) From 23.102.173.124 - 2 packets to tcp(3389) . . .
These are either mostly or entirely MicroSoft.com addresses. Any ideas as to what legitimate use this probing might have? I know that 3389 is MS-RDP. My question is why would a 'reputable' firm be scanning my systems for open connections on that port?
-- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Azure servers.
You’ll also see them from Amazon’s cloud.
Neither company apparently does any active monitoring of the total crud they allow people to spew from their VMs. We’ve seen everything from RDP to SSH brute force scripts from both.
How one could get into the VM business without KNOWING idiots would happily pay for and utilize VMs on big bandwidth to do stupid human tricks, and take appropriate precautions NOT to become part of the problem… is beyond me.
Nate
On 8/25/2014 18:18, Nathan Duehr wrote:
How one could get into the VM business without KNOWING idiots would happily pay for and utilize VMs on big bandwidth to do stupid human tricks, and take appropriate precautions NOT to become part of the problem… is beyond me.
Easy.
1. Most of these bots are probably zombie infections, using resources paid for by someone else.
2. These bots use CPU, memory, and bandwidth, which is how these providers make their money. The more you use, the more money they make. Wondering why they don't take measures to stop it is like wondering why Exxon hasn't started building Tesla Supercharger stations everywhere.
-
James B. Byrne -
Kai Schaetzl -
Nathan Duehr -
Warren Young