Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


10 posts

Wannabe Geek


Topic # 146717 27-May-2014 08:29
Send private message

I run a work network comprising a Netgear ADSL modem/router and 5 computers peer to peer networked together. I run a static IP I noticed about a week ago that I was getting a huge amount of upload data traffic from my computer.

It could be between 3-4 gig a day. Obviously it was not anything I was doing. In the resource monitor svchost.exe was sending 12,000 b/sec to a site overseas I am using MS security essentials. I ran a few online virus scanners and malware detectors with no positive results I have reinstalled my operating system and factory reset my router I also remote desktop from home to my work computer. I forward ports 3389 (standard RDP port) on my router to my computers internal IP address. I forward 3390 to my colleagues computer

This morning I have traffic being upload to a site ds9777.dedicated.turbodns.co.uk. Looking at Resource Monitor, svchost was using PID 1320. 1320 in services was being used by Termservice, Nlasvc, plus some others including remote desktop. I guessed that RDP was being used. I changed the port forwarding settings on the router to my computer to 3391. Traffic has now stopped.

So the question I have and perhaps a problem 1. What was happening? 2. If I change forwarding ports other than 3389 (say 3391), once 3389 has been used, RDP does not seem to work. I did also change the registry setting to 3391 from the standard 3389. Solution 3. Any other issues that I need to look at?   Thanks

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
4430 posts

Uber Geek
+1 received by user: 872

Moderator
Trusted
Lifetime subscriber

  Reply # 1054072 27-May-2014 08:36
Send private message

There was an infection a year or two ago that exploited RDP, you might have picked it up?

How easy is it for you to rebuild the PC?



13918 posts

Uber Geek
+1 received by user: 2471

Trusted
Subscriber

  Reply # 1054085 27-May-2014 08:43
Send private message

Did you run something like Malware Bytes, which is free? I assume you have a supported operating system that's fully patched?




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




10 posts

Wannabe Geek


  Reply # 1054088 27-May-2014 08:48
Send private message

Hi
After I first noticed the upload traffic I did a fresh install of Windows 7 pro and installed all the latest updated  

4955 posts

Uber Geek
+1 received by user: 1318

Trusted
Microsoft

  Reply # 1054089 27-May-2014 08:48
Send private message

Rdp will happily run on another port

But you shouldn't really rely on just the rdp password authentication, ideally run a VPN underneath or use certs

My guess is the machine didn't have s strong password, and a dictionary attack has compromised the machine

The PC needs to be flattened and reinstalled

26485 posts

Uber Geek
+1 received by user: 6036

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1054092 27-May-2014 08:52
4 people support this post
Send private message

Leaving RDP open and exposed to the internet with no firewall restrictions is just a fundamental security failing. It's just not something you should ever do.

If they had RDP access to a single machine on a network then every machine on that network should be treated as compromised.







10 posts

Wannabe Geek


  Reply # 1054099 27-May-2014 09:02
Send private message

I am running MS security essentials plus the firewall within windows. 
What restrictions would I need to put in place?
Just to clarify - there was never a RDP hookup on my computer with another. I was always logged on as the user. Upload data could be DoS attack from my computer to another?

26485 posts

Uber Geek
+1 received by user: 6036

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1054102 27-May-2014 09:07
Send private message

RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 

4955 posts

Uber Geek
+1 received by user: 1318

Trusted
Microsoft

  Reply # 1054103 27-May-2014 09:08
Send private message

How strong was your password?

4955 posts

Uber Geek
+1 received by user: 1318

Trusted
Microsoft

  Reply # 1054117 27-May-2014 09:26
Send private message

What operating system?



10 posts

Wannabe Geek


  Reply # 1054118 27-May-2014 09:28
Send private message

Thanks for for your reply sbiddle. Are you able to offer any advice on the best setup for RDP and VPN so I can access my work computer from home


26485 posts

Uber Geek
+1 received by user: 6036

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1054122 27-May-2014 09:35
Send private message

Buy a router that supports VPN access allowing you to establish a VPN connection into your network. Once you've done that you'll be able to RDP into your machine.


5198 posts

Uber Geek
+1 received by user: 2219

Trusted
Lifetime subscriber

  Reply # 1054174 27-May-2014 10:20
Send private message

Draytek





Chorus has spent $1.4 billion on making their xDSL broadband network faster. If your still stuck on ADSL or VDSL, why not spend from $150 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com


8025 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 1054504 27-May-2014 18:34
One person supports this post
Send private message

Yes ideally your want a modem/router that supports vpn connections, so you can establish a vpn from your work computer to your home network then remote desktop over that vpn connection.

If you are going to allow remote desktop directly, at least follow these steps to maximize the security (change port, NLA, etc):
http://jack-brennan.com/securing-remote-desktop-on-windows-8-and-windows-7/



gjm

745 posts

Ultimate Geek
+1 received by user: 91


  Reply # 1054541 27-May-2014 19:06
One person supports this post
Send private message

or you could use teamviewer and restrict access to only the teamviewer accounts you specify. Still not ideal but better than exposing 3389 to the internet




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

21124 posts

Uber Geek
+1 received by user: 4210

Trusted
Subscriber

  Reply # 1054588 27-May-2014 20:04
Send private message

I had 3389 put thru to one of my downloading machines for a while. It was getting someone grinding away at it with great regularity.




Richard rich.ms

 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.