Jump to content



Photo

[Win Server 2003] VPN or PROXY to change IP in RDP ?

Answered Go to the full post windows server 2003

  • Please log in to reply
31 replies to this topic

#1 zolnora

zolnora

    Neowinian

  • Joined: 02-August 13

Posted 02 August 2013 - 21:31

Hello,

I want to know if it is possible for a malicious person to go through a VPN or PROXY to change its IP when connecting to a remote desktop.

And therefore may have a parameterize IP range for the remote desktop in Windows Server 2003?

Thank you in advance for your info.

Cordially.



Best Answer +BudMan , 09 August 2013 - 18:46

What? Go to the full post



#2 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 02 August 2013 - 22:12

If they have admin access over the computer they are remotting into, yes they can change the ip address.  If they do not have admin access to it, they cannot.



#3 OP zolnora

zolnora

    Neowinian

  • Joined: 02-August 13

Posted 03 August 2013 - 22:56

there has been an intrusion into the server, and the IP that I found is a Chinese IP. But what seems strange is that the person had an administrator account on the server ... How will he have to do? Since we must be physically present at the server or already have a remote desktop account. And that is why I asked the question on the forum to see if it's not someone in the office who would hide ip to do.



#4 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 04 August 2013 - 04:44

There is a rdp exploit and if your server is left unpatched with a weak admin password it will get brute forced very quickly. This has been known for at least 2 years now. Tighten up you security and don't use a easy admin password, better yet don't use the standard administrative user called administrator rename it.

https://www.microsof...m:Win32/Morto.A

#5 OP zolnora

zolnora

    Neowinian

  • Joined: 02-August 13

Posted 04 August 2013 - 15:14

Ok ! thx for your infomation. I try to modify it faster !



#6 +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 04 August 2013 - 15:17

Yeah there is an RDP Hacking tool. So they can log onto (Generally Speaking, Unless you have tied it down with Group Policy or Local Policy) with whatever account they dam well please. As for any Proxy you can proxy ANY Traffic. Enjoy the wonders of the internet.



#7 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 04 August 2013 - 17:22

Who would ever in their right mind expose rdp directly to the public net?? That would be just nuts.. You should be restricting IPs that can access at a min. I would only allow rdp via vpn, with secure 2 factor auth to access the vpn in the first place?

#8 OP zolnora

zolnora

    Neowinian

  • Joined: 02-August 13

Posted 04 August 2013 - 19:36

how can restrict ip to acces RDP ? cant load windows firewall...



#9 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 04 August 2013 - 19:47

A good hardware firewall will allow you to make access control lists or ACLs.

Why can't you enable windows firewall? If the system won't enable you to then you should run a cleanup for morto and other viruses and root kits.

#10 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 04 August 2013 - 20:04

Yeah worse case you could use the software firewall.. And I agree if you can not even start the software firewall you have something major wrong that needs to be fixed!!

But what are you using to connect this server to the internet? Even the most basic of soho home routers should allow you to restrict the source IP that can access your port forward to rdp.

#11 Aergan

Aergan

    Neowinian Senior

  • Tech Issues Solved: 6
  • Joined: 24-September 05
  • Location: Staffordshire, UK
  • OS: Xubuntu 14.04.1 / Server 2012 R2 / Ubuntu Server 14.04.1
  • Phone: Sony Xperia Z1

Posted 04 August 2013 - 20:09

Server 2003 that is directly accessible via the internet and you have RDP enabled? I'd bet that one person you detected is the least of your concerns by now. Honestly, I hope you have nothing of any financial importance on the connected infrastructure.



#12 OP zolnora

zolnora

    Neowinian

  • Joined: 02-August 13

Posted 05 August 2013 - 15:59

Thank you for your reply, I have a pb to go into the Windows Firewall 2003, I got a message saying: .... "The Windows Firewall can not execute because another program or service that is currently running could use the component of network address translation (Ipnat.sys)."

I did some research on the forums and I disabled the VPN is Still the same ...

would you have an idea for this? Because so few allow certain IP Firewall since I would be interested.

 

The routeur in firewall (linksys WRT54GL allow only to customize internet ip... or then its same ?

Thank you in advance.

 

PS: the intruder use another port to connect on server , not RDP port (3389)



#13 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 05 August 2013 - 16:44

If your running a wrt54GL -- then you can run any 3rd party firmware you want, openwrt, dd-wrt, tomato -- all of which allow you to put restrictions on your port forwards for source IPs

You mention vpn.. If the server is running VPN, why would rdp be open to public internet at all?

You say they didn't use rdp port 3389.. What other ports do you have open to the public net.. You don't have the server in your routers dmz do you?

#14 OP zolnora

zolnora

    Neowinian

  • Joined: 02-August 13

Posted 06 August 2013 - 16:03

Sorry if you not understand me answer, i told "ppl who connected on my server do not used rdp port 3389, but he use one port like 14564..."

 

Yes i got VPN enabled on server ====> but disabled now (i dont know who enabled it)

Yes i use rdp public for i can connect from my home to working on.

Yes i use dd-wrt but only internet ip its possible to manage ? no ?

 

Thx by advance.

 

PS: Sorry for my poor english.



#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 90
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 06 August 2013 - 16:26

"but he use one port like 14564"

And what service would be listening on that port to connect too? That seems unlikely, more likely you are reading the info given wrong.. Possible that is the source port they connected from?

So you access your box via rdp from your house.. So on your router where you forward 3389 to your servers IP, put a restriction that traffic that can be forwarded to your servers internal IP can only come from your house IP.. Or if your IP changes quite often, then limit it to your isp netblox say 24.13.?.0/24 or /23 or /22, etc. This at least limits your exposure to who can hit your remote desktop to small number, vs say every bot/hacker in China ;)