Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

ForumsMicrosoft WindowsWindows remote desktop hacked (maybe)


572 posts

Ultimate Geek
Topic # 101843 10-May-2012 08:32 Send private message

The last couple of days I noticed some weird data usage overnight. 

This morning, checked netlimiter and I'd uploaded 50mb while asleep. 

Tracked this to process 1448, which is Remote desktop. 

Found the connection was still active, and there was remote desktop uploading data to 61.186.90.102. 

You can actually RDP to that IP address and it is a windows server 2003 machine in China.

I have no idea of what this person was uploading, nor can I figure out if they were actually signed on or not.   Could failed connection attempts cause this amount of data up loading?   IS there any logging of RDP anywhere?

I have a strong windows password, but now I'm wondering if RDP has a security exploit which was used to gain access to my machine .

Anyway, I've removed the port forwarding and will run some full system malware scans just to be sure. 

Create new topic
BDFL
43646 posts

Uber Geek

Administrator
Trusted
Geekzone
Subscriber
  Reply # 622650 10-May-2012 08:36 Send private message

"I have a secure password"...

Worthless if there's a vulnerability. Have you applied all Windows Updates your system lately? Do you really need remote desktop? Why not use something like LogMeIn that doesn't need port forwarding?







Mauricio Freitas (Geekzone Admin, Devil's Advocate, my blogtechnology disclosure, my tweets, Web Performance Optimization

Geekzone Price comparison | Amazon Kindle order page | How to get the best out of Geekzone | New Zealand IT Jobs | Geekzone News | Jinglebugs 



572 posts

Ultimate Geek
  Reply # 622678 10-May-2012 09:09 Send private message

freitasm: "I have a secure password"...

Worthless if there's a vulnerability. Have you applied all Windows Updates your system lately? Do you really need remote desktop? Why not use something like LogMeIn that doesn't need port forwarding?




Windows 7 is 100% up to date on patches (lesson learnt, thanks msblaster, cost me $3000 in 2003).

Secure password. 

Can 50mb of data could be generated by failed RDP log-on attempts. Windows RDP event logging is poor. 

I'll look at LogMeIn.

RDP is permanently banned from my house.

Even if someone accessed my machine, all my passwords are secured by Truecrypt.  But I'll change my banking passwords just to be sure. 

Thanks.




2365 posts

Uber Geek

Trusted
Subscriber
  Reply # 622694 10-May-2012 09:36 Send private message

Also make sure you require secure connections only for RDP





171 posts

Master Geek
  Reply # 622718 10-May-2012 10:00 Send private message

Are you saying the RDP traffic is inbound or outbound?



572 posts

Ultimate Geek
  Reply # 622719 10-May-2012 10:02 Send private message

wasabi2k: Are you saying the RDP traffic is inbound or outbound?


Approx 50MB Outbound traffic, to this china IP address. 

6887 posts

Uber Geek

Trusted
Subscriber
  Reply # 622740 10-May-2012 10:38 Send private message

Exposing RDP directly is like painting a big target on your back.

Setup a VPN server at home and only use RDP over the VPN would be my recommendation.

1782 posts

Uber Geek
  Reply # 622750 10-May-2012 10:55 Send private message

Have you run a rootkit scanner?

I had a client come to us with the same issue but that was on SBS2003 and there is a fix for that but MS say Win7 isn't affected.
Telecom usage meter showed that their monthly uploads went from about 1-2GB to over 10GB and they only noticed as they started hitting their data cap and getting slowed down to dial-up.

I found that their last IT provider had the SBS2003 in the DMZ in the router so didn't help and I installed the fix.

As others have said I wouldn't have port 3389 open to the internet.
If you really must have RDP open use another port like 33389.
Then when you want to connect with RDP just make sure you use ???.???.???.???:33389.






Computer Repairs Whangarei
Remote Support



572 posts

Ultimate Geek
  Reply # 622775 10-May-2012 11:24 Send private message

Windows RDP is disabled...lesson learnt :)

However, from what I understand any system can be hacked regardless. You can just try to make it harder.

Have run all necessary scans, inc the kaspersky rootkit scanner.

LogMeIn is my RDP tool from now.

606 posts

Ultimate Geek

Subscriber
  Reply # 622800 10-May-2012 11:58 Send private message

CYaBro: Have you run a rootkit scanner?

I had a client come to us with the same issue but that was on SBS2003 and there is a fix for that but MS say Win7 isn't affected.
Telecom usage meter showed that their monthly uploads went from about 1-2GB to over 10GB and they only noticed as they started hitting their data cap and getting slowed down to dial-up.

I found that their last IT provider had the SBS2003 in the DMZ in the router so didn't help and I installed the fix.

As others have said I wouldn't have port 3389 open to the internet.
If you really must have RDP open use another port like 33389.
Then when you want to connect with RDP just make sure you use ???.???.???.???:33389.

No you don't need 3389 open on SBS. Windows Web Workplace over https takes care of handling the RDP traffic without having to port forward 3389.

171 posts

Master Geek
  Reply # 622818 10-May-2012 12:21 Send private message

If it is outbound your PC is initiating the traffic - you don't have RDP open inbound?

Then what is initiating RDP connections outbound to that IP? That's the question. Rootkit/malware/etc.

171 posts

Master Geek
  Reply # 622819 10-May-2012 12:22 Send private message

allan:
CYaBro: Have you run a rootkit scanner?

I had a client come to us with the same issue but that was on SBS2003 and there is a fix for that but MS say Win7 isn't affected.
Telecom usage meter showed that their monthly uploads went from about 1-2GB to over 10GB and they only noticed as they started hitting their data cap and getting slowed down to dial-up.

I found that their last IT provider had the SBS2003 in the DMZ in the router so didn't help and I installed the fix.

As others have said I wouldn't have port 3389 open to the internet.
If you really must have RDP open use another port like 33389.
Then when you want to connect with RDP just make sure you use ???.???.???.???:33389.

No you don't need 3389 open on SBS. Windows Web Workplace over https takes care of handling the RDP traffic without having to port forward 3389.


Yeah - which requires forwarding another port instead - the RDP isn't tunnelled over 443 with SBS2003.

164 posts

Master Geek

Trusted
  Reply # 622883 10-May-2012 14:23 Send private message

surfisup1000:... Is there any logging of RDP anywhere? ...


(Terminology: note the client end is referred to as "Remote Desktop Connection"; the server end is referred to as "Remote Desktop").

Turn logging on for Remote Desktop and set account lockout policies for repeated (may be a bit late for this!) logon attempts (Windows 7): How-to Remote Desktop Security Windows 7

Can turn general IP logging on in Windows Firewall > Advanced | Security Logging | Settings

Check System Event Log for events with Source "TermService".

Create new topic
Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »
Android and iOS combine for 92.3% of all smartphone OS shipment in the first 2013 quarter
Posted 17-May-2013 08:38

Apple’s App Store marks 50 billionth download
Posted 17-May-2013 08:25

Gen-i divests Davanti Consulting through management buyout
Posted 16-May-2013 14:02

Huawei G510 bring big-screen mobile entertainment for Android users
Posted 16-May-2013 11:49

BlackBerry BBM goes multiplatform: iOS and Android versions
Posted 15-May-2013 11:28

BlackBerry introduces BlackBerry 10 QWERTY smartphone
Posted 15-May-2013 09:32


Trending now »
Hot discussions in our forums right now:

A reason not to shop at dick smith
Created by dsnz1, last reply by AKLWestie on 17-May-2013 22:45 (82 replies)
Pages... 4 5 6

Chorus is cutting the cost of VDSL to service providers from June 7
Created by maxzzz, last reply by Ragnor on 16-May-2013 02:57 (40 replies)
Pages... 2 3

A new project coming to Geekzone
Created by freitasm, last reply by CapBBeard on 18-May-2013 20:20 (194 replies)
Pages... 11 12 13

HTC One (2013) owners' discussion
Created by Dingbatt, last reply by Indio on 18-May-2013 22:00 (1404 replies)
Pages... 92 93 94

Galaxy S4 to run stock Android, by Google
Created by kiwitrc, last reply by Lambchop on 17-May-2013 02:54 (30 replies)
Pages... 2

Sitting on a boring conference call
Created by SaltyNZ, last reply by SepticSceptic on 17-May-2013 16:52 (14 replies)

Office 365 service outage 2013-05-18
Created by freitasm, last reply by networkn on 18-May-2013 22:31 (12 replies)

Samsung Galaxy SIII Discussion and Owners Thread
Created by networkn, last reply by Johnk on 18-May-2013 14:50 (5522 replies)
Pages... 367 368 369


Geekzone Jobs »
Most recent NZ jobs in technology:

IT Technician
Posted 18-May-2013 22:27

IT Technician
Posted 18-May-2013 22:27

Office Girl
Posted 18-May-2013 13:27

CRM Lead/ Senior MS CRM Consultant
Posted 18-May-2013 09:27

Business Analyst - Technical Web Focus
Posted 18-May-2013 09:27

Senior Front End Developer
Posted 18-May-2013 09:27

Client Support Analyst
Posted 17-May-2013 23:26


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.