[Win Server 2003] VPN or PROXY to change IP in RDP ?

[zolnora]

Hello,

I want to know if it is possible for a malicious person to go through a VPN or PROXY to change its IP when connecting to a remote desktop.

And therefore may have a parameterize IP range for the remote desktop in Windows Server 2003?

Thank you in advance for your info.

Cordially.

[sc302 Veteran]

If they have admin access over the computer they are remotting into, yes they can change the ip address.  If they do not have admin access to it, they cannot.

[zolnora]

there has been an intrusion into the server, and the IP that I found is a Chinese IP. But what seems strange is that the person had an administrator account on the server ... How will he have to do? Since we must be physically present at the server or already have a remote desktop account. And that is why I asked the question on the forum to see if it's not someone in the office who would hide ip to do.

[sc302 Veteran]

There is a rdp exploit and if your server is left unpatched with a weak admin password it will get brute forced very quickly. This has been known for at least 2 years now. Tighten up you security and don't use a easy admin password, better yet don't use the standard administrative user called administrator rename it.

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32%2FMorto.A

[zolnora]

Ok ! thx for your infomation. I try to modify it faster !

[+John Teacake MVC]

Yeah there is an RDP Hacking tool. So they can log onto (Generally Speaking, Unless you have tied it down with Group Policy or Local Policy) with whatever account they dam well please. As for any Proxy you can proxy ANY Traffic. Enjoy the wonders of the internet.

[+BudMan MVC]

Who would ever in their right mind expose rdp directly to the public net?? That would be just nuts.. You should be restricting IPs that can access at a min. I would only allow rdp via vpn, with secure 2 factor auth to access the vpn in the first place?

[zolnora]

how can restrict ip to acces RDP ? cant load windows firewall...

[sc302 Veteran]

A good hardware firewall will allow you to make access control lists or ACLs.

Why can't you enable windows firewall? If the system won't enable you to then you should run a cleanup for morto and other viruses and root kits.

[+BudMan MVC]

Yeah worse case you could use the software firewall.. And I agree if you can not even start the software firewall you have something major wrong that needs to be fixed!!

But what are you using to connect this server to the internet? Even the most basic of soho home routers should allow you to restrict the source IP that can access your port forward to rdp.

[Aergan]

Server 2003 that is directly accessible via the internet and you have RDP enabled? I'd bet that one person you detected is the least of your concerns by now. Honestly, I hope you have nothing of any financial importance on the connected infrastructure.

[zolnora]

Thank you for your reply, I have a pb to go into the Windows Firewall 2003, I got a message saying: .... "The Windows Firewall can not execute because another program or service that is currently running could use the component of network address translation (Ipnat.sys)."

I did some research on the forums and I disabled the VPN is Still the same ...

would you have an idea for this? Because so few allow certain IP Firewall since I would be interested.

 

The routeur in firewall (linksys WRT54GL allow only to customize internet ip... or then its same ?

Thank you in advance.

 

PS: the intruder use another port to connect on server , not RDP port (3389)

[+BudMan MVC]

If your running a wrt54GL -- then you can run any 3rd party firmware you want, openwrt, dd-wrt, tomato -- all of which allow you to put restrictions on your port forwards for source IPs

You mention vpn.. If the server is running VPN, why would rdp be open to public internet at all?

You say they didn't use rdp port 3389.. What other ports do you have open to the public net.. You don't have the server in your routers dmz do you?

[zolnora]

Sorry if you not understand me answer, i told "ppl who connected on my server do not used rdp port 3389, but he use one port like 14564..."

 

Yes i got VPN enabled on server ====> but disabled now (i dont know who enabled it)

Yes i use rdp public for i can connect from my home to working on.

Yes i use dd-wrt but only internet ip its possible to manage ? no ?

 

Thx by advance.

 

PS: Sorry for my poor english.

[+BudMan MVC]

"but he use one port like 14564"

And what service would be listening on that port to connect too? That seems unlikely, more likely you are reading the info given wrong.. Possible that is the source port they connected from?

So you access your box via rdp from your house.. So on your router where you forward 3389 to your servers IP, put a restriction that traffic that can be forwarded to your servers internal IP can only come from your house IP.. Or if your IP changes quite often, then limit it to your isp netblox say 24.13.?.0/24 or /23 or /22, etc. This at least limits your exposure to who can hit your remote desktop to small number, vs say every bot/hacker in China ;)

[zolnora]

Like this :

   IP source :     60.184.201.209
   Source port :     60017
 

But only the 3389 port its forwarded to server.

No one another port opened. And one ppl can logged in rdp....

 

Ok to put restriction for all ip but not my ip,  how i make this on firewall windows ? Can you show me example ?

 

Thx.

[sc302 Veteran]

They initiate the connection on 3389.  Once connected are are running they can then call out on any port as your router/firewall doesn't block outgoing connections, only incoming.

 

when they are connected to your server do a netstat -a -n and paste the results here.

[zolnora]

Cant report all he returning from netstart (too long) but i post most important :

 

Proto  local address         remote Address           state
TCP    0.0.0.0:53             0.0.0.0:0              listening
TCP    0.0.0.0:135            0.0.0.0:0              listening
TCP    0.0.0.0:445            0.0.0.0:0              listening
TCP    0.0.0.0:1025           0.0.0.0:0              listening
TCP    0.0.0.0:1027           0.0.0.0:0              listening
TCP    0.0.0.0:1028           0.0.0.0:0              listening
TCP    0.0.0.0:1029           0.0.0.0:0              listening
TCP    0.0.0.0:3389           0.0.0.0:0              listening
TCP    0.0.0.0:47001          0.0.0.0:0              listening
TCP    127.0.0.1:1030         0.0.0.0:0              listening
TCP    127.0.0.1:10110        0.0.0.0:0              listening
TCP    192.168.0.2:139        0.0.0.0:0              listening
TCP    192.168.0.2:445        192.168.0.114:50795    established
TCP    192.168.0.2:445        192.168.0.117:49865    established

TCP    192.168.0.2:3389       79.115.75.205:16657    established <---  who is it ?

TCP    192.168.0.2:3389       81.51.194.251:55164    established  <---  its me
UDP    0.0.0.0:445            *:*
UDP    0.0.0.0:500            *:*
UDP    0.0.0.0:1026           *:*
UDP    0.0.0.0:4500           *:*

...    continue -->

UDP    0.0.0.0:65504          *:*
UDP    0.0.0.0:65521          *:*
UDP    0.0.0.0:65531          *:*
UDP    127.0.0.1:53           *:*
UDP    127.0.0.1:123          *:*
UDP    127.0.0.1:58404        *:*
UDP    192.168.0.2:53         *:*
UDP    192.168.0.2:123        *:*
UDP    192.168.0.2:137        *:*
UDP    192.168.0.2:138        *:*

[sc302 Veteran]

someone from romania.

 

You really need to close it up or fix your issue.

[+BudMan MVC]

"81.51.194.251"

So that is your IP.. You need to restrict forwarding of 3389 to only this source IP.. So that guy from

RO-RESIDENTIAL, RCS & RDS Residential, Pitesti, 03, Romania

Can not get in.. Nor the guy from china, nor the guy from Iran, etc. etc.

You are the only one that needs RDP access correct.. Then in your router on the port forwarding rule only allow access from YOUR IP, or from your ISP at a min. 81.51.0.0/16 french telecom

edit: To be honest I would WIPE that box.. Its highly likely that root kits/backdoors have been installed already.

edit: What firmware are you running on your wrt54GL? If native firmware from linksys I doubt you can put in restrictions on your port forwarding. Put 3rd party firmware on it, and then you can easy restrict access to your forward to only your IP or only your ISP network, etc.

[zolnora]

yes i think to re format computer and re installing all safety...  :(

 

I thx very very mutch for your helping, and i take care now !!! My first work after re intaslling its to filtrat ip !

[zolnora]

IP 79.115.75.205 delete files on the server ...

I need help please! I think it is a bad guy who works with me, and that is a friend of the boss ....

Because every time I change the password since the last attack, and I give them to my boss. But shortly after the server is experiencing a new attack ...

How I can do to trace the IP 79.115.75.205 to see if it does not come from France? Are there any programs for this?

 

A big thank you in advance for your answers.

 

PS: i restrict forwarding port 3389 only for 81.51.0.0/16.

[sc302 Veteran]

dnsstuff.com

 

see who owns the ip and where it is located.  If it is malware, no matter what you change your password to they can find out or they have created a backdoor account and it would circumvent anything password changes you do to administrator.

[+BudMan MVC]

"How I can do to trace the IP 79.115.75.205 to see if it does not come from France?"

Already told you its in romania

Here is a site I use all the time

http://www.robtex.com/

Great tool site for looking up info about an IP, etc.

But a simple whois can tell you who owns that netspace

budman@ubuntu:~$ whois 79.115.75.205
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '79.115.64.0 - 79.115.79.255'

% Abuse contact for '79.115.64.0 - 79.115.79.255' is 'abuse@rcs-rds.ro'

inetnum:        79.115.64.0 - 79.115.79.255
netname:        RO-RESIDENTIAL
descr:          RCS & RDS Residential
descr:          City: Pitesti
country:        RO
admin-c:        CN19-RIPE
tech-c:         CN19-RIPE
tech-c:         RDS2012-RIPE
status:         ASSIGNED PA
mnt-by:         AS8708-MNT
mnt-lower:      AS8708-MNT
source:         RIPE # Filtered

role:           RCS RDS
address:        71-75 Dr. Staicovici
address:        Bucharest / ROMANIA
phone:          +40 21 30 10 888
fax-no:         +40 21 30 10 892
abuse-mailbox:  abuse@rcs-rds.ro
admin-c:        GEPU1-RIPE
tech-c:         GEPU1-RIPE
nic-hdl:        RDS2012-RIPE
mnt-by:         RDS-MNT
remarks:        +------------------------------------------------------------+
remarks:        | Please use ABUSE@RCS-RDS.RO for complaints and only after  |
remarks:        | you have tried contacting directly our customers according |
remarks:        | to the details registered in RIPE database.                |
remarks:        +------------------------------------------------------------+
remarks:        | DO NOT CALL, FAX, OR CONTACT US BY ANY OTHER MEANS EXCEPT  |
remarks:        |                    abuse@rcs-rds.ro                        |
remarks:        +------------------------------------------------------------+
source:         RIPE # Filtered

person:         Ciprian Nica
remarks:        IP Resources Manager
remarks:        RCS & RDS
address:        Bucharest, Romania
phone:          + 40 31 400 42 43
abuse-mailbox:  abuse@rcs-rds.ro
remarks:        ------------------------------------------------
remarks:        | Please do not send me any abuse complaints.  |
remarks:        | Use abuse@rcs-rds.ro for that or contact     |
remarks:        | your service provider or local authorities   |
remarks:        |  ! DO NOT CALL ME REGARDING ABUSE ISSUES  !  |
remarks:        |   Please do not make an abuse yourself by    |
remarks:        |          disregarding this request !         |
remarks:        |   I WILL NOT HELP YOU WITH YOUR PROBLEM !    |
remarks:        ------------------------------------------------
nic-hdl:        CN19-RIPE
mnt-by:         NIMACI-MNT
source:         RIPE # Filtered

% Information related to '79.112.0.0/13AS8708'

route:          79.112.0.0/13
descr:          RDSNET
origin:         AS8708
mnt-by:         AS8708-MNT
source:         RIPE # Filtered

[zolnora]

OK many thx guys !

 

i found trojan in me computer...

 

Troj/Agent-VWJCategory:  Viruses and Spyware  Protection available since: 02 May 2012 01:33:00 (GMT)
Type:  Trojan Last Updated: 02 May 2012 01:33:00 (GMT)

Summary More information Troj/Agent-VWJ exhibits the following characteristics:
Other vendor detection
KasperskyBackdoor.Win32.G_Door.bmFree Mac Anti-Virus

 

I suppose thats its the cause for my pb. ?!