watching the net monitor again, with network applications turned off. saw one unassociated address - tracked down to Henan, China. to look this up, i stopped the monitor and opened the web browser. then i started the monitor up again, and right away realized i had failed to check the port number.
luckily (or unluckily) i caught another one. this one was either in Georgia (.ge) or Turkey - i think the service is based in Turkey, but the address was in Georgia.
so, this address exchanged several TCP packets with my computer, none of which seemed to contain anything (i say this only because they had 'payload lengths' of zero - this is not something i have researched yet). they were exchanged through port 3389, which actually carried a label: MS WBT SERVER. what is MS WBT SERVER you ask? this is the port used by the 'Remote Desktop' utility in windows. obviously, this was something in the Caucasus searching for a computer with a somehow vulnerable port 3389.
how to tell if it's vulnerable? maybe if i was using the utility? i don't know. maybe he's watching me type right now, though i think then i'd be able to see him still. it was a total of 8 TCP packets, followed a couple of minutes later by 2 UDP packets.
very interesting!
u were using Remote Desktop service?
ReplyDeleteno no, but someone was checking to see if i was.
ReplyDeletethank you for looking at my journal. as you can see, i know almost nothing about the internet. learning day by day...
What tool did U use to capture the packets
ReplyDeletei was using microsoft network monitor, i have switched to wireshark sometimes lately..
ReplyDeleteI saw some strange outgoing connections to a .tr domain not on rdp ports, but showing as ms-wbt-server and originating from svchost....very strange indeed
ReplyDeletejust google ms-wbt-server lol you will find all the answers you seek. It's nothing to worry about.
ReplyDeletemwahaha, g-wiz, that's how everyone winds up here!
ReplyDelete