Worms exploiting Windows Remote Desktop Vulnerabilities knock on port 3389
Microsoft has announced that their Windows OS has yet another critical security hole which allows anyone to take control over machines running that operating system if remote desktop services are enabled. The result is that you may be seeing attempts to connect to port 3389 in your firewall. These can be safely be ignored since they are only targeting Windows-infected computers.
No user interaction is required to take over a unpatched Windows machine running its built-in remote desktop services. This means that worms and malware can exploit this gaping security hole with ease. Microsoft issued patches for the vulnerabilities known as CVE-2019-1181 and CVE-2019-1182 on Tuesday the 13th of August. These affect Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 and all versions of Windows 10 (including server versions). Remote Desktop Services are disabled by default so this only affects Windows machines where RDS has been manually enabled.
ncat (manual) from the
nmap package (it is in a separate package called
nmap-ncat on some distributions) can be used to listen for a view attempts to exploit Windows machines:
ncat -v -l 3389
Windows users should update their machines and disable RDS if that service is not required or stop using a toy OS and upgrade to a real one like Debian or Manjaro. GNU/Linux need to do nothing since the only affect on GNU/Linux is a minor increase in traffic on port 3389 to routers and firewalls and machines directly connected to the Internet - unless someone on your LAN is infected. The LAN case is the easiest to fix; all you need to do is to plug in a USB stick with Debian or Manjaro or another GNU/Linux distribution and remove the Windows infestation.