Windows remote desktop hacked (maybe)

Forums › Microsoft Windows › Windows remote desktop hacked (maybe)

surfisup1000

5288 posts

Uber Geek

#101843 10-May-2012 08:32

The last couple of days I noticed some weird data usage overnight.

This morning, checked netlimiter and I'd uploaded 50mb while asleep.

Tracked this to process 1448, which is Remote desktop.

Found the connection was still active, and there was remote desktop uploading data to 61.186.90.102.

You can actually RDP to that IP address and it is a windows server 2003 machine in China.

I have no idea of what this person was uploading, nor can I figure out if they were actually signed on or not. Could failed connection attempts cause this amount of data up loading? IS there any logging of RDP anywhere?

I have a strong windows password, but now I'm wondering if RDP has a security exploit which was used to gain access to my machine .

Anyway, I've removed the port forwarding and will run some full system malware scans just to be sure.

freitasm

BDFL - Memuneh
79309 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#622650 10-May-2012 08:36

"I have a secure password"...

Worthless if there's a vulnerability. Have you applied all Windows Updates your system lately? Do you really need remote desktop? Why not use something like LogMeIn that doesn't need port forwarding?

surfisup1000

5288 posts

Uber Geek

#622678 10-May-2012 09:09

freitasm: "I have a secure password"...

Worthless if there's a vulnerability. Have you applied all Windows Updates your system lately? Do you really need remote desktop? Why not use something like LogMeIn that doesn't need port forwarding?

Windows 7 is 100% up to date on patches (lesson learnt, thanks msblaster, cost me $3000 in 2003).

Secure password.

Can 50mb of data could be generated by failed RDP log-on attempts. Windows RDP event logging is poor.

I'll look at LogMeIn.

RDP is permanently banned from my house.

Even if someone accessed my machine, all my passwords are secured by Truecrypt. But I'll change my banking passwords just to be sure.

Thanks.

Zeon

3918 posts

Uber Geek

Trusted

#622694 10-May-2012 09:36

Also make sure you require secure connections only for RDP

Speedtest 2019-10-14

wasabi2k

2096 posts

Uber Geek

#622718 10-May-2012 10:00

Are you saying the RDP traffic is inbound or outbound?

surfisup1000

5288 posts

Uber Geek

#622719 10-May-2012 10:02

wasabi2k: Are you saying the RDP traffic is inbound or outbound?

Approx 50MB Outbound traffic, to this china IP address.

Ragnor

8223 posts

Uber Geek

Trusted

#622740 10-May-2012 10:38

Exposing RDP directly is like painting a big target on your back.

Setup a VPN server at home and only use RDP over the VPN would be my recommendation.

CYaBro

4589 posts

Uber Geek

ID Verified

Trusted

#622750 10-May-2012 10:55

Have you run a rootkit scanner?

I had a client come to us with the same issue but that was on SBS2003 and there is a fix for that but MS say Win7 isn't affected.
Telecom usage meter showed that their monthly uploads went from about 1-2GB to over 10GB and they only noticed as they started hitting their data cap and getting slowed down to dial-up.

I found that their last IT provider had the SBS2003 in the DMZ in the router so didn't help and I installed the fix.

As others have said I wouldn't have port 3389 open to the internet.
If you really must have RDP open use another port like 33389.
Then when you want to connect with RDP just make sure you use ???.???.???.???:33389.

Opinions are my own and not the views of my employer.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

surfisup1000

5288 posts

Uber Geek

#622775 10-May-2012 11:24

Windows RDP is disabled...lesson learnt :)

However, from what I understand any system can be hacked regardless. You can just try to make it harder.

Have run all necessary scans, inc the kaspersky rootkit scanner.

LogMeIn is my RDP tool from now.

allan

2044 posts

Uber Geek

ID Verified

Lifetime subscriber

#622800 10-May-2012 11:58

CYaBro: Have you run a rootkit scanner?

I had a client come to us with the same issue but that was on SBS2003 and there is a fix for that but MS say Win7 isn't affected.
Telecom usage meter showed that their monthly uploads went from about 1-2GB to over 10GB and they only noticed as they started hitting their data cap and getting slowed down to dial-up.

I found that their last IT provider had the SBS2003 in the DMZ in the router so didn't help and I installed the fix.

As others have said I wouldn't have port 3389 open to the internet.
If you really must have RDP open use another port like 33389.
Then when you want to connect with RDP just make sure you use ???.???.???.???:33389.

No you don't need 3389 open on SBS. Windows Web Workplace over https takes care of handling the RDP traffic without having to port forward 3389.

wasabi2k

2096 posts

Uber Geek

#622818 10-May-2012 12:21

If it is outbound your PC is initiating the traffic - you don't have RDP open inbound?

Then what is initiating RDP connections outbound to that IP? That's the question. Rootkit/malware/etc.

wasabi2k

2096 posts

Uber Geek

#622819 10-May-2012 12:22

allan:
CYaBro: Have you run a rootkit scanner?

I had a client come to us with the same issue but that was on SBS2003 and there is a fix for that but MS say Win7 isn't affected.
Telecom usage meter showed that their monthly uploads went from about 1-2GB to over 10GB and they only noticed as they started hitting their data cap and getting slowed down to dial-up.

I found that their last IT provider had the SBS2003 in the DMZ in the router so didn't help and I installed the fix.

As others have said I wouldn't have port 3389 open to the internet.
If you really must have RDP open use another port like 33389.
Then when you want to connect with RDP just make sure you use ???.???.???.???:33389.

No you don't need 3389 open on SBS. Windows Web Workplace over https takes care of handling the RDP traffic without having to port forward 3389.

Yeah - which requires forwarding another port instead - the RDP isn't tunnelled over 443 with SBS2003.

lapimate

352 posts

Ultimate Geek

Trusted

Lifetime subscriber

#622883 10-May-2012 14:23

surfisup1000:... Is there any logging of RDP anywhere? ...

(Terminology: note the client end is referred to as "Remote Desktop Connection"; the server end is referred to as "Remote Desktop").

Turn logging on for Remote Desktop and set account lockout policies for repeated (may be a bit late for this!) logon attempts (Windows 7): How-to Remote Desktop Security Windows 7

Can turn general IP logging on in Windows Firewall > Advanced | Security Logging | Settings

Check System Event Log for events with Source "TermService".