Tuesday, April 20, 2010

MS WBT SERVER

watching the net monitor again, with network applications turned off. saw one unassociated address - tracked down to Henan, China. to look this up, i stopped the monitor and opened the web browser. then i started the monitor up again, and right away realized i had failed to check the port number.
luckily (or unluckily) i caught another one. this one was either in Georgia (.ge) or Turkey - i think the service is based in Turkey, but the address was in Georgia.

so, this address exchanged several TCP packets with my computer, none of which seemed to contain anything (i say this only because they had 'payload lengths' of zero - this is not something i have researched yet). they were exchanged through port 3389, which actually carried a label: MS WBT SERVER. what is MS WBT SERVER you ask? this is the port used by the 'Remote Desktop' utility in windows. obviously, this was something in the Caucasus searching for a computer with a somehow vulnerable port 3389.

how to tell if it's vulnerable? maybe if i was using the utility? i don't know. maybe he's watching me type right now, though i think then i'd be able to see him still. it was a total of 8 TCP packets, followed a couple of minutes later by 2 UDP packets.

very interesting!

7 comments:

  1. u were using Remote Desktop service?

    ReplyDelete
  2. no no, but someone was checking to see if i was.

    thank you for looking at my journal. as you can see, i know almost nothing about the internet. learning day by day...

    ReplyDelete
  3. What tool did U use to capture the packets

    ReplyDelete
  4. i was using microsoft network monitor, i have switched to wireshark sometimes lately..

    ReplyDelete
  5. I saw some strange outgoing connections to a .tr domain not on rdp ports, but showing as ms-wbt-server and originating from svchost....very strange indeed

    ReplyDelete
  6. just google ms-wbt-server lol you will find all the answers you seek. It's nothing to worry about.

    ReplyDelete
  7. mwahaha, g-wiz, that's how everyone winds up here!

    ReplyDelete