Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




10 posts

Wannabe Geek


Topic # 146717 27-May-2014 08:29
Send private message

I run a work network comprising a Netgear ADSL modem/router and 5 computers peer to peer networked together. I run a static IP I noticed about a week ago that I was getting a huge amount of upload data traffic from my computer.

It could be between 3-4 gig a day. Obviously it was not anything I was doing. In the resource monitor svchost.exe was sending 12,000 b/sec to a site overseas I am using MS security essentials. I ran a few online virus scanners and malware detectors with no positive results I have reinstalled my operating system and factory reset my router I also remote desktop from home to my work computer. I forward ports 3389 (standard RDP port) on my router to my computers internal IP address. I forward 3390 to my colleagues computer

This morning I have traffic being upload to a site ds9777.dedicated.turbodns.co.uk. Looking at Resource Monitor, svchost was using PID 1320. 1320 in services was being used by Termservice, Nlasvc, plus some others including remote desktop. I guessed that RDP was being used. I changed the port forwarding settings on the router to my computer to 3391. Traffic has now stopped.

So the question I have and perhaps a problem 1. What was happening? 2. If I change forwarding ports other than 3389 (say 3391), once 3389 has been used, RDP does not seem to work. I did also change the registry setting to 3391 from the standard 3389. Solution 3. Any other issues that I need to look at?   Thanks

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
4130 posts

Uber Geek
+1 received by user: 633

Moderator
Trusted
Subscriber

  Reply # 1054072 27-May-2014 08:36
Send private message

There was an infection a year or two ago that exploited RDP, you might have picked it up?

How easy is it for you to rebuild the PC?



13333 posts

Uber Geek
+1 received by user: 2245

Trusted
Subscriber

  Reply # 1054085 27-May-2014 08:43
Send private message

Did you run something like Malware Bytes, which is free? I assume you have a supported operating system that's fully patched?




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


 
 
 
 




10 posts

Wannabe Geek


  Reply # 1054088 27-May-2014 08:48
Send private message

Hi
After I first noticed the upload traffic I did a fresh install of Windows 7 pro and installed all the latest updated  

4937 posts

Uber Geek
+1 received by user: 1314

Trusted
Microsoft

  Reply # 1054089 27-May-2014 08:48
Send private message

Rdp will happily run on another port

But you shouldn't really rely on just the rdp password authentication, ideally run a VPN underneath or use certs

My guess is the machine didn't have s strong password, and a dictionary attack has compromised the machine

The PC needs to be flattened and reinstalled

25663 posts

Uber Geek
+1 received by user: 5412

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1054092 27-May-2014 08:52
4 people support this post
Send private message

Leaving RDP open and exposed to the internet with no firewall restrictions is just a fundamental security failing. It's just not something you should ever do.

If they had RDP access to a single machine on a network then every machine on that network should be treated as compromised.







10 posts

Wannabe Geek


  Reply # 1054099 27-May-2014 09:02
Send private message

I am running MS security essentials plus the firewall within windows. 
What restrictions would I need to put in place?
Just to clarify - there was never a RDP hookup on my computer with another. I was always logged on as the user. Upload data could be DoS attack from my computer to another?

25663 posts

Uber Geek
+1 received by user: 5412

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1054102 27-May-2014 09:07
Send private message

RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 

4937 posts

Uber Geek
+1 received by user: 1314

Trusted
Microsoft

  Reply # 1054103 27-May-2014 09:08
Send private message

How strong was your password?

4937 posts

Uber Geek
+1 received by user: 1314

Trusted
Microsoft

  Reply # 1054117 27-May-2014 09:26
Send private message

What operating system?



10 posts

Wannabe Geek


  Reply # 1054118 27-May-2014 09:28
Send private message

Thanks for for your reply sbiddle. Are you able to offer any advice on the best setup for RDP and VPN so I can access my work computer from home


25663 posts

Uber Geek
+1 received by user: 5412

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1054122 27-May-2014 09:35
Send private message

Buy a router that supports VPN access allowing you to establish a VPN connection into your network. Once you've done that you'll be able to RDP into your machine.


5069 posts

Uber Geek
+1 received by user: 2093

Trusted
Subscriber

  Reply # 1054174 27-May-2014 10:20
Send private message

Draytek





Chorus has spent $1.4 billion on making their xDSL broadband network faster. If your still stuck on ADSL or VDSL, why not spend from $150 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com


8020 posts

Uber Geek
+1 received by user: 386

Trusted
Subscriber

  Reply # 1054504 27-May-2014 18:34
One person supports this post
Send private message

Yes ideally your want a modem/router that supports vpn connections, so you can establish a vpn from your work computer to your home network then remote desktop over that vpn connection.

If you are going to allow remote desktop directly, at least follow these steps to maximize the security (change port, NLA, etc):
http://jack-brennan.com/securing-remote-desktop-on-windows-8-and-windows-7/



gjm

733 posts

Ultimate Geek
+1 received by user: 90


  Reply # 1054541 27-May-2014 19:06
One person supports this post
Send private message

or you could use teamviewer and restrict access to only the teamviewer accounts you specify. Still not ideal but better than exposing 3389 to the internet




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

20429 posts

Uber Geek
+1 received by user: 3899

Trusted
Subscriber

  Reply # 1054588 27-May-2014 20:04
Send private message

I had 3389 put thru to one of my downloading machines for a while. It was getting someone grinding away at it with great regularity.




Richard rich.ms

 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16


Cyber security not being taken seriously enough
Posted 5-Dec-2017 20:13


Sony commences Android 8.0 Oreo rollout in New Zealand
Posted 5-Dec-2017 20:08


Revera partners with Nyriad to deliver blockchain pilot to NZ Government
Posted 5-Dec-2017 20:01



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.