RDP Been Hacked


Recommended Posts

What would you check to ensure that your server hasn't been compromised. I have seen a lot of traffic from this one IP address. On the end of the connection it is a Windows 2003 Server (Fully Patched etc) ....

Link to comment
Share on other sites

since the duration is so low, i doubt it was hacked.

btw: is that a internet-facing server? RDP open to the internet?

Link to comment
Share on other sites

RDP allows anyone to make a connection without authentication... it displays an actual desktop for the username/password prompt if you have not already keyed it in on the RDP client.

The attacker is probably brute forcing many username/password combinations. I have seen a hack where someone (from another IT company) set up a username "Scanner" with the password "scanner" and it was hacked this way.

Realistically, RDP ports should be CLOSED. RDP should not be open to the public internet. Use VPN or another remote desktop program (NOT VNC either).

If RDP must be open, run it through a VPN or audit all the usernames/passwords to make sure they can't be brute forced, limit which IP addresses can connect to it using the firewall (if possible), rename Administrator account (and not to 'Admin'). set up security policies to lockout accounts after too many incorrect attempts, make sure it's fully patched and automatic updates are on.

  • Like 1
Link to comment
Share on other sites

Usually they will create a new account and run self contained applications that don't require installation. But, as mentioned, these sessions are so short, they clearly are brute forcing your passwords. You need to close off RDP from the internet.

Link to comment
Share on other sites

- change to another rdp listening port http://support.micro...kb/306759/en-us

- restrict access through the windows firewall to known hosts only (might be problematic when you must connect from an dynamic ip altough you can also define ranges)

- enforce nla (might not work with certain 3rd party rdp clients) http://technet.micro...y/cc732713.aspx *Sorry doesnt work on 2003 server

- always install updates and have a secure password (ovious) only allow specific (no windows default) users to connect

Link to comment
Share on other sites

- change to another rdp listening port http://support.micro...kb/306759/en-us

- restrict access through the windows firewall to known hosts only (might be problematic when you must connect from an dynamic ip altough you can also define ranges)

- enforce nla (might not work with certain 3rd party rdp clients) http://technet.micro...y/cc732713.aspx

- always install updates and have a secure password (ovious)

^ Great advice. Especially changing the port. You'd be surprised how doing something so insignificant as obscuring your RDP port number can reduce random connections to it by 10,000%+

When I setup a new server I always change the VNC, RDP and FTP port numbers to something else and it usually completely eradicates attempted connections to those ports. With 65,535 possible port numbers these random probing bots are not going to try every communication protocol on every port number on every IP Address they really only go for the low hanging fruit because it's much faster.

And of course restricting it to only hosts you trust is a great way to stop determined infiltrators whilst the port number changing only really stops automated bots.

Link to comment
Share on other sites

^exactly - I have to wonder why would RDP be open to the internet. If you must have it open, then as suggested it should be limited to specific IPs or at min netblocks from where those users might be coming from.

I can tell you this for a fact, place a service on the public net and it will see traffic. Be it ssh, be it ftp, be it rdp or vnc, smtp is big one as well. These services are ripe for access or misuse. SMTP, can I bounce my mail off it and let you deliver my spam for me, ftp site can I access it and store files so my warez buddies can download my stuff using your bandwidth, ssh - can I gain access to your server and use it to attack other systems or whatever - same goes for RDP. Did you set Administrator with Password1 as your password - well there you go I can use your system for whatever I want ;)

Now You can try and min the amount of traffic you see via changing the ports, so that say the rdp scripts don't check you at 8933 for example -- but this is not the correct way to secure something. Just using an oddball port does not mean that someone can not find it - just might lower the amount of noise type traffic you see on it since the script kiddies normally just scan for 3389 to hit.

As stated - you should only allow RDP via a VPN into your network that is SECURED, normally two factor type auth, etc.. And if you can not do that and you need it open to public - SECURE IT WITH A VERY GOOD PASSWORD!!! and not your default type usernames. Best to firewall it off to only allow access from the IPs that need access, etc.

Link to comment
Share on other sites

lol...hacked, no. beaten the fk up, yes. as budman stated, you open a common port on the internet it is going to get beaten hard. Some bot is trying to get into your server. There was/is a flaw with rdp and simple passwords, well not really a flaw but admin stupidity. If there is a user called "user" or "test" on your domain these users are going to get hit with brute force attempts. That is more or less what you are seeing. Once the password has been found the bot will log in and load up some malware on the compromised system and connect using rdp all over your network. budman saw this on one of my system many months ago. look for outbound connections that are flooding your pipe from certain pcs. Generally though, mse is successful removing the infection (they found it 2-3 weeks after the network that my company was managing became infected).

Link to comment
Share on other sites

Just change the RDP port to something else than the default 3389 ... i.e 21788 or something.

Doing so will rermove 99.9 % of these automated scanning / bruteforcing tools.

The RDP port, is located under:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Change it to something else and create an exception for this port on your Firewall.

Reboot and you are done.

If someone still tries to bruteforce the RDP just block their IP / IP range in the windows firewall,

it's very easy to do.

I had the same problem as you on a rented windows server and after changing the RDP port I saw 0 attempts on the new port.

  • Like 2
Link to comment
Share on other sites

Setup TS Gateway - it listens on port 443 and does port redirection to hosts on your internal LAN .. much more secure and simpler to maintain. Also all comms to/from the TS Gateway are encrypted.

Link to comment
Share on other sites

Looks like the policy logs from a Netscreen/SSG firewall to me. As said ideally RDP ports shouldn't be open to the Internet and through a VPN is the best way. ScreenOS supports IPsec tunnels so find a decent IPsec client :)

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.