Me, A Hacker?

A few days back I received a letter from Amazon EC2 where some of my appliance hosting resides:

Dear Amazon EC2 Customer,

We’ve received a report that your instance(s):

Instance Id: i-be2ee0ea
IP Address: 46.137.XXX.XXX

has been making illegal intrusion attempts against remote hosts on the Internet; check the information provided below by the abuse reporter.

Host Intrusion is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/

Please immediately restrict the flow of traffic from your instances(s) to cease disruption to other networks and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email.

It’s possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured. The link http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233
provides some suggestions for securing your instances.

Case number: 12937466983-1

Additional abuse report information provided by original abuse reporter:
* Destination IPs:
* Destination Ports:
* Destination URLs:
* Abuse Time: Tue Apr 17 02:10:24 UTC 2012
* Log Extract:
<<<

2012-04-17 02:10:24.773209 IP (tos 0x0, ttl 128, id 11697, offset 0, flags [DF], proto TCP (6), length 48) 10.139.33.104.63732 > 112.67.116.160.3389: Flags [S], cksum 0xc87d (correct), seq 1290811049, win 8192, options [mss 1460,nop,nop,sackOK], length 0
2012-04-17 02:10:24.773313 IP (tos 0x0, ttl 128, id 11698, offset 0, flags [DF], proto TCP (6), length 48)
10.139.33.104.63733 > 216.169.213.118.3389: Flags [S], cksum 0x08da (correct), seq 3600982876, win 8192, options [mss 1460,nop,nop,sackOK], length 0
2012-04-17 02:10:24.773353 IP (tos 0x0, ttl 128, id 11699, offset 0, flags [DF], proto TCP (6), length 64)
10.139.33.104.63541 > 91.176.95.155.3389: Flags [P.], cksum 0x3424 (correct), seq 4198313113:4198313137, ack 1826613510, win 64985, length 24
2012-04-17 02:10:24.776028 IP (tos 0x0, ttl 128, id 11700, offset 0, flags [DF], proto TCP (6), length 48)
10.139.33.104.63734 > 128.49.252.222.3389: Flags [S], cksum 0x8a38 (correct), seq 1143989632, win 8192, options [mss 1460,nop,nop,sackOK], length 0
2012-04-17 02:10:24.776178 IP (tos 0x0, ttl 128, id 11701, offset 0, flags [DF], proto TCP (6), length 48)
10.139.33.104.63735 > 111.199.115.152.3389: Flags [S], cksum 0xa32f (correct), seq 3819226819, win 8192, options [mss 1460,nop,nop,sackOK], length 0

>>>

Seems like my Windows box have been doing some naughty things to Remote Desktop clients all over the Internet. Must be because I didn’t patch my installation cos after I updated it, the attempts stopped.

http://technet.microsoft.com/en-us/security/bulletin/ms12-020

Leave a Reply

Your email address will not be published. Required fields are marked *

*