Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




10 posts

Wannabe Geek


Topic # 146717 27-May-2014 08:29
Send private message

I run a work network comprising a Netgear ADSL modem/router and 5 computers peer to peer networked together. I run a static IP I noticed about a week ago that I was getting a huge amount of upload data traffic from my computer.

It could be between 3-4 gig a day. Obviously it was not anything I was doing. In the resource monitor svchost.exe was sending 12,000 b/sec to a site overseas I am using MS security essentials. I ran a few online virus scanners and malware detectors with no positive results I have reinstalled my operating system and factory reset my router I also remote desktop from home to my work computer. I forward ports 3389 (standard RDP port) on my router to my computers internal IP address. I forward 3390 to my colleagues computer

This morning I have traffic being upload to a site ds9777.dedicated.turbodns.co.uk. Looking at Resource Monitor, svchost was using PID 1320. 1320 in services was being used by Termservice, Nlasvc, plus some others including remote desktop. I guessed that RDP was being used. I changed the port forwarding settings on the router to my computer to 3391. Traffic has now stopped.

So the question I have and perhaps a problem 1. What was happening? 2. If I change forwarding ports other than 3389 (say 3391), once 3389 has been used, RDP does not seem to work. I did also change the registry setting to 3391 from the standard 3389. Solution 3. Any other issues that I need to look at?   Thanks

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
4087 posts

Uber Geek
+1 received by user: 608

Moderator
Trusted
Subscriber

  Reply # 1054072 27-May-2014 08:36
Send private message

There was an infection a year or two ago that exploited RDP, you might have picked it up?

How easy is it for you to rebuild the PC?



13165 posts

Uber Geek
+1 received by user: 2191

Trusted
Subscriber

  Reply # 1054085 27-May-2014 08:43
Send private message

Did you run something like Malware Bytes, which is free? I assume you have a supported operating system that's fully patched?




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


 
 
 
 




10 posts

Wannabe Geek


  Reply # 1054088 27-May-2014 08:48
Send private message

Hi
After I first noticed the upload traffic I did a fresh install of Windows 7 pro and installed all the latest updated  

4936 posts

Uber Geek
+1 received by user: 1314

Trusted
Microsoft

  Reply # 1054089 27-May-2014 08:48
Send private message

Rdp will happily run on another port

But you shouldn't really rely on just the rdp password authentication, ideally run a VPN underneath or use certs

My guess is the machine didn't have s strong password, and a dictionary attack has compromised the machine

The PC needs to be flattened and reinstalled

25459 posts

Uber Geek
+1 received by user: 5269

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1054092 27-May-2014 08:52
4 people support this post
Send private message

Leaving RDP open and exposed to the internet with no firewall restrictions is just a fundamental security failing. It's just not something you should ever do.

If they had RDP access to a single machine on a network then every machine on that network should be treated as compromised.







10 posts

Wannabe Geek


  Reply # 1054099 27-May-2014 09:02
Send private message

I am running MS security essentials plus the firewall within windows. 
What restrictions would I need to put in place?
Just to clarify - there was never a RDP hookup on my computer with another. I was always logged on as the user. Upload data could be DoS attack from my computer to another?

25459 posts

Uber Geek
+1 received by user: 5269

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1054102 27-May-2014 09:07
Send private message

RDP access should only ever be allowed via specific IP range(s) or via VPN. Exposing it to the internet with no restrictions as you have done is just something you should never do.

 

4936 posts

Uber Geek
+1 received by user: 1314

Trusted
Microsoft

  Reply # 1054103 27-May-2014 09:08
Send private message

How strong was your password?

4936 posts

Uber Geek
+1 received by user: 1314

Trusted
Microsoft

  Reply # 1054117 27-May-2014 09:26
Send private message

What operating system?



10 posts

Wannabe Geek


  Reply # 1054118 27-May-2014 09:28
Send private message

Thanks for for your reply sbiddle. Are you able to offer any advice on the best setup for RDP and VPN so I can access my work computer from home


25459 posts

Uber Geek
+1 received by user: 5269

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1054122 27-May-2014 09:35
Send private message

Buy a router that supports VPN access allowing you to establish a VPN connection into your network. Once you've done that you'll be able to RDP into your machine.


5019 posts

Uber Geek
+1 received by user: 2051

Trusted
Subscriber

  Reply # 1054174 27-May-2014 10:20
Send private message

Draytek





Chorus has spent $1.4 billion on making their xDSL broadband network faster. If your still stuck on ADSL or VDSL, why not spend from $150 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com


8019 posts

Uber Geek
+1 received by user: 385

Trusted
Subscriber

  Reply # 1054504 27-May-2014 18:34
One person supports this post
Send private message

Yes ideally your want a modem/router that supports vpn connections, so you can establish a vpn from your work computer to your home network then remote desktop over that vpn connection.

If you are going to allow remote desktop directly, at least follow these steps to maximize the security (change port, NLA, etc):
http://jack-brennan.com/securing-remote-desktop-on-windows-8-and-windows-7/



gjm

733 posts

Ultimate Geek
+1 received by user: 90


  Reply # 1054541 27-May-2014 19:06
One person supports this post
Send private message

or you could use teamviewer and restrict access to only the teamviewer accounts you specify. Still not ideal but better than exposing 3389 to the internet




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

20265 posts

Uber Geek
+1 received by user: 3825

Trusted
Subscriber

  Reply # 1054588 27-May-2014 20:04
Send private message

I had 3389 put thru to one of my downloading machines for a while. It was getting someone grinding away at it with great regularity.




Richard rich.ms

 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone TV — television in the cloud
Posted 17-Oct-2017 19:29


Nokia 8 review: Classy midrange pure Android phone
Posted 16-Oct-2017 07:27


Why carriers might want to embrace Commerce Commission study, MVNOs
Posted 13-Oct-2017 09:42


Fitbit launches Ionic, its health and fitness smartwatch
Posted 12-Oct-2017 15:52


Xero launches machine learning automation to improve coding accuracy for small businesses
Posted 12-Oct-2017 15:45


Bank of New Zealand uses Intel AI to detect financial crime
Posted 12-Oct-2017 15:39


Sony launches Xperia XZ1, a smartphone with real-time 3D capture
Posted 11-Oct-2017 10:26


Notes on Nokia’s phone comeback
Posted 10-Oct-2017 10:06


Air New Zealand begins Inflight Wi-Fi rollout
Posted 9-Oct-2017 20:16


The latest mobile phones in perspective
Posted 9-Oct-2017 18:34


Review: Acronis True Image 2018 — serious backup
Posted 8-Oct-2017 11:22


Lenovo launches ThinkPad Anniversary Edition 25
Posted 7-Oct-2017 23:16


Less fone, more tech as Vodafone gets brand make-over
Posted 6-Oct-2017 08:16


API Talent Achieves AWS MSP Partner Status
Posted 5-Oct-2017 21:20


Stellar Consulting Group now a Domo Partner
Posted 5-Oct-2017 21:03



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.