Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




12 posts

Geek


#146717 27-May-2014 08:29
Send private message

I run a work network comprising a Netgear ADSL modem/router and 5 computers peer to peer networked together. I run a static IP I noticed about a week ago that I was getting a huge amount of upload data traffic from my computer.

It could be between 3-4 gig a day. Obviously it was not anything I was doing. In the resource monitor svchost.exe was sending 12,000 b/sec to a site overseas I am using MS security essentials. I ran a few online virus scanners and malware detectors with no positive results I have reinstalled my operating system and factory reset my router I also remote desktop from home to my work computer. I forward ports 3389 (standard RDP port) on my router to my computers internal IP address. I forward 3390 to my colleagues computer

This morning I have traffic being upload to a site ds9777.dedicated.turbodns.co.uk. Looking at Resource Monitor, svchost was using PID 1320. 1320 in services was being used by Termservice, Nlasvc, plus some others including remote desktop. I guessed that RDP was being used. I changed the port forwarding settings on the router to my computer to 3391. Traffic has now stopped.

So the question I have and perhaps a problem 1. What was happening? 2. If I change forwarding ports other than 3389 (say 3391), once 3389 has been used, RDP does not seem to work. I did also change the registry setting to 3391 from the standard 3389. Solution 3. Any other issues that I need to look at?   Thanks

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
6277 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #1054072 27-May-2014 08:36
Send private message

There was an infection a year or two ago that exploited RDP, you might have picked it up?

How easy is it for you to rebuild the PC?



15908 posts

Uber Geek

Trusted
Subscriber

  #1054085 27-May-2014 08:43
Send private message

Did you run something like Malware Bytes, which is free? I assume you have a supported operating system that's fully patched?

 
 
 
 




12 posts

Geek


  #1054088 27-May-2014 08:48
Send private message

Hi
After I first noticed the upload traffic I did a fresh install of Windows 7 pro and installed all the latest updated  

5301 posts

Uber Geek

Trusted
Microsoft

  #1054089 27-May-2014 08:48
Send private message

Rdp will happily run on another port

But you shouldn't really rely on just the rdp password authentication, ideally run a VPN underneath or use certs

My guess is the machine didn't have s strong password, and a dictionary attack has compromised the machine

The PC needs to be flattened and reinstalled

28947 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #1054092 27-May-2014 08:52
Send private message

Leaving RDP open and exposed to the internet with no firewall restrictions is just a fundamental security failing. It's just not something you should ever do.

If they had RDP access to a single machine on a network then every machine on that network should be treated as compromised.







12 posts

Geek


  #1054099 27-May-2014 09:02
Send private message

I am running MS security essentials plus the firewall within windows. 
What restrictions would I need to put in place?
Just to clarify - there was never a RDP hookup on my computer with another. I was always logged on as the user. Upload data could be DoS attack from my computer to another?

28947 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #1054102 27-May-2014 09:07
Send private message

RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 

 
 
 
 


5301 posts

Uber Geek

Trusted
Microsoft

  #1054103 27-May-2014 09:08
Send private message

How strong was your password?

5301 posts

Uber Geek

Trusted
Microsoft

  #1054117 27-May-2014 09:26
Send private message

What operating system?



12 posts

Geek


  #1054118 27-May-2014 09:28
Send private message

Thanks for for your reply sbiddle. Are you able to offer any advice on the best setup for RDP and VPN so I can access my work computer from home


28947 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #1054122 27-May-2014 09:35
Send private message

Buy a router that supports VPN access allowing you to establish a VPN connection into your network. Once you've done that you'll be able to RDP into your machine.


5663 posts

Uber Geek

Trusted
Lifetime subscriber

  #1054174 27-May-2014 10:20
Send private message

Draytek





Chorus has spent $1.4 billion on making their xDSL broadband network faster and even more now as they are upgrading their rural Conklins. If your still stuck on ADSL or VDSL, why not spend $195 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.

 

Cel-Fi supply and installer - boost your mobile phone coverage legally
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com


8035 posts

Uber Geek

Trusted

  #1054504 27-May-2014 18:34
Send private message

Yes ideally your want a modem/router that supports vpn connections, so you can establish a vpn from your work computer to your home network then remote desktop over that vpn connection.

If you are going to allow remote desktop directly, at least follow these steps to maximize the security (change port, NLA, etc):
http://jack-brennan.com/securing-remote-desktop-on-windows-8-and-windows-7/



gjm

757 posts

Ultimate Geek


  #1054541 27-May-2014 19:06
Send private message

or you could use teamviewer and restrict access to only the teamviewer accounts you specify. Still not ideal but better than exposing 3389 to the internet




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

23263 posts

Uber Geek

Trusted
Subscriber

  #1054588 27-May-2014 20:04
Send private message

I had 3389 put thru to one of my downloading machines for a while. It was getting someone grinding away at it with great regularity.




Richard rich.ms

 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29


D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22


NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14


SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00


D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53


Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48


Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56


D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51


Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01


Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35


Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53


Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06


Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00


OPPO A91 is a high specs mid-range smartphone
Posted 23-Apr-2020 16:44


NordVPN rolling out NordLynx new generation VPN protocol based on WireGuard
Posted 23-Apr-2020 16:37



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.