-5

To my surprise, Security Event 10 was for 104.43.193.6 which is apparently a Microsoft ip address: http://ip2location.com/demo/104.43.193.6 =. Microsoft Corporation.

Likely AFAIK some has leased 104.43.193.6 and is using it to randomly attack ip addresses with the hope of logging on via RDP ...

since my web server is a dedicated Windows Web Server that is relatively unknown (it's NOT Sony and we are not hosting trailers for a silly movie), it's highly unlikely that it was attacked other than by random churning through ip address ranges.

it's normal for such churning attacks, even simultaneous ones, for example, today the Microsoft owned ip address, another from China, and at third from Kansas City were attempting simultaneously to log on via RDP.

what bothers me is that one would hope that Microsoft would show enough concern to want to shut down one of its customers involved in hacking; to be fair, it could also be someone who has compromised a computer that belongs to one of Microsoft's customers.

MORE INFORMATION

Microsoft Canada +1 905 568-0434 swicthboard transferred me to someone in the Philippines, wrong department, who transferred me to malware (wrong department) who was not capable of understanding the issue and after 20 minutes finally transferred me to someone in professional services who was also clueless and after another 15 minutes was replaced by a recording that stated all of Microsoft's phone lines were busy; the recording suggested using the internet to contact Microsoft.

Half way through trying to report the RDP attack to Microsoft, the attacking ip address stopped trying ... at my end, via WireShark, logs were captured.

One hopes perhaps Microsoft would like to see those logs ... one also hopes there is a better way of informing Microsoft of such attacks as they are happening.

how does one report an RDP attack to Microsoft when it's happening in real time?

P.S.: if this is the wrong forum for this question, please redirect me. Thank you.

2015-12-26 update (from ms auto-reply): 

Thank you for contacting cert@microsoft.com.    
This alias is monitored by the Microsoft    
Online Services Security Incident Response Team    
and is used to collect security and abuse reports    
from security organizations specific to our Online Services    
such as Windows Azure, Bing, Hotmail, Windows Live, etc.  

This alias is not currently monitored 24/7;
expect a response in 1-2 business days.
gerryLowry
  • 185
  • 3
  • 13
  • this question has quickly earned 5 down votes without a single comment as to why; seriously, as per my request, "*if this is the wrong forum for this question, please redirect me*" http://weblogs.asp.net/gerrylowry/clarity-is-important-both-in-question-and-in-answer – gerryLowry Feb 10 '15 at 19:38
  • `how does one report an RDP attack to Microsoft when it's happening in real time?` Why does one care? If one was smart, one would (at a minimum) change the port the Remote Desktop server listens on, precisely to avoid this kind of automated attack. – HopelessN00b Feb 10 '15 at 20:00
  • @HopelessN00b -- changing the port is useless because the attacks try thousands of ports. To answer your question, why does one care ... if attacks can be reported in real time to the owner of the ip address, assuming that the owner is allowing someone else to use that ip address, then the owner can quickly shut down the perpetrator, thus knocking the bad guys offline for at least a little while. FWIW – gerryLowry Feb 10 '15 at 20:42

1 Answers1

3

If you check the whois record for that IP, it tells you:

Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment: * https://cert.microsoft.com.

update ~~ from direct ms e-mail to myself {gerry}:
(a) "the max length for e-mail addresses has changed to 100" by ms so most e-mail addresses can now be accepted
(b) one "can always send IP details, logs and any helpful information to cert@microsoft.com"
(c) ms "will always take reports at this address if you can provide us with enough information to investigate. We really stress the timestamps, the more accurate they are, the faster we can identify those responsible"

gerryLowry
  • 185
  • 3
  • 13
faker
  • 17,496
  • 2
  • 60
  • 70
  • this is unlikely a Microsoft online service; the ip2location record simply shows that Microsoft Corporation is the ISP so it is likely a host belonging to a customer of Microsoft rather than a Microsoft owned host -- regardless, it seems like Microsoft must have a more direct and more immediate way of reporting an event while that event is still happening ... by my best guess, based on the number of events in my server Security Event Log, at least a few thousand failed log ins happened from the Redmond ip address ... imho ChinaNet Network is unlikely to act but one hopes that Microsoft cares. – gerryLowry Feb 10 '15 at 19:16
  • P.S.: https://cert.microsoft.com/report.aspx looks like it might be useful for after the fact reporting of "*malicious network activity originating from a Microsoft IP address*". thnx – gerryLowry Feb 10 '15 at 19:19
  • joke's on me; the form at https://cert.microsoft.com/report.aspx will not take my full e-mail address even though my e-mail address is legal. "*A valid email address required.*" fails in both Chrome and IE – gerryLowry Feb 10 '15 at 19:23
  • 1
    `it is likely a host belonging to a customer of Microsoft` - What does that mean exactly? I'm a Microsoft customer. My traffic doesn't originate from their ip addresses. `reporting of "malicious network activity originating from a Microsoft IP address` - that is in fact the case here is it not? – joeqwerty Feb 10 '15 at 19:30
  • @joequerty -- my assumption is that Microsoft has customers on its network; yes, it's possible it's a Microsoft host, but that is somewhat doubtful; the case here is real time reporting not after the fact reporting. (a) it appears the https://cert.microsoft.com/report.aspx is for after the fact reporting; (b) https://cert.microsoft.com/report.aspx can not handle an e-mail address longer than 35 characters. FWIW – gerryLowry Feb 10 '15 at 19:46
  • That IP is an Azure IP. So those IPs can be used by customers. That page is confusingly written regarding Azure incidents. But it's still probably the best place to report it. – faker Feb 10 '15 at 19:48
  • @faker thank you; how did you discover that 104.43.193.6 is an Azure IP? i tried http://104.43.193.6/ but it finds no pages. `nslookup 104.43.193.6` reports non-existent domain. `tracert 104.43.193.6` was not very useful because it was not able to complete the trace. BTW, @msftsecurity did not respond; however, i just checked and i now see that an e-mail of length 100 can now be used as of February 17th. – gerryLowry Feb 18 '15 at 20:51
  • The attack sounded like something someone would launch from a cloud instance. A look at http://www.microsoft.com/en-us/download/details.aspx?id=41653 confirmed that it's a Azure IP. No easier way to figure it out unfortunately – faker Feb 18 '15 at 21:59
  • @faker ... thank you for your help; i've marked your answer as the answer because the question has been closed and because i appreciate your input ... the apparently more correct answer is that Microsoft does not appear to have any way for end users to report attacks in real time. – gerryLowry Dec 26 '15 at 11:22