watching the net monitor again, with network applications turned off. saw one unassociated address - tracked down to Henan, China. to look this up, i stopped the monitor and opened the web browser. then i started the monitor up again, and right away realized i had failed to check the port number.
luckily (or unluckily) i caught another one. this one was either in Georgia (.ge) or Turkey - i think the service is based in Turkey, but the address was in Georgia.
so, this address exchanged several TCP packets with my computer, none of which seemed to contain anything (i say this only because they had 'payload lengths' of zero - this is not something i have researched yet). they were exchanged through port 3389, which actually carried a label: MS WBT SERVER. what is MS WBT SERVER you ask? this is the port used by the 'Remote Desktop' utility in windows. obviously, this was something in the Caucasus searching for a computer with a somehow vulnerable port 3389.
how to tell if it's vulnerable? maybe if i was using the utility? i don't know. maybe he's watching me type right now, though i think then i'd be able to see him still. it was a total of 8 TCP packets, followed a couple of minutes later by 2 UDP packets.
very interesting!
Yeah, I don't know what's going on. Whatever it is that causes people to google "MS-WBT server", and wind up here for a few seconds, got a little worse last week - visits increased by something like 30%. Google is weird, the internet is weird, MS-WBT server is weird.
