Windows 10 - Remote Desktop Hacked

[russ9898]

Hello OCUK,

I've woken up this morning to a notepad text file on the desktop of my home server named 'hacked.txt' which was placed there a little after 2am this morning and simply says 'secure your server idiot'....fair comment, they've got in, I cant argue.

Coincidentally, I formatted the Windows drive and completed a fresh Windows 10 install only a couple of days ago and have installed the bare minimum in respect of software all of which is paid/freeware (so no cracks/exploits to worry about). Having reviewed the event log, it appears that for several hours a script was attempting to gain access to my system via RDP generating multiple 'Audit Failures' trying to login in with multiple usernames SuperUser, admin, Rodgiro, Sara etc etc.

Previously i'll admit to being a little lapse on security, relying on Windows Defender. In attempt to re-secure my system I've done the following:

• Installed Malware bytes, Avast Antivirus & Zone Alarm Firewall - run scans with all which have come up clear. Looks like my hacker might have just been experimenting?
• Removed all port forwards to my server from my router with the exception of one for Plex Media Server
• Setup an Open VPN server on my router to access my server remotely.
• Changed my RDP port from the default
• Changed system usernames and passwords

Are there any other steps you should suggest I take to further secure my system from hack attempts?

Many thanks

Russ

 

[Mcnumpty2323]

youre lucky
you didnt wake up to everything encrypted
and a ransom demand
hope all your new user names and passwords
are complex ones?
including wifi and router ones
the person involved may be closer to you
than you think
if using wifi

 

[Rroff]

How upto date was the 10 install? there are a few quite serious security issues in RDP in 10 if you aren't on the latest updates as of around a month ago.

If they managed to brute force your password all bets are off - using a VPN to login will help there if you need remote access but even then I would make sure that multiple incorrect logins are black listing that IP and/or white list connections that are allowed.

 

[Deleted member 77746]

Remove RDP on the router instantly. I noticed you have done this.

Don’t use RDP!

 

[russ9898]

youre lucky
you didnt wake up to everything encrypted
and a ransom demand
hope all your new user names and passwords
are complex ones?
including wifi and router ones
the person involved may be closer to you
than you think
if using wifi

I've gone with complex passwords, upper and lower case, symbols and numbers.

Ill change my WiFi as an extra security measure however I have reviewed my router logs and cannot see anything that concerns me in the logs. The IP's logged for the remote access attempts are external IP addresses.

 

[Deleted member 77746]

Hey

I've gone with complex passwords, upper and lower case, symbols and numbers.

I would have gone with 4 random words. Eg CheeseOverclockersRandomWords or FiftyFiveScrewHackers

They say it’s more secure as a complex password because of the length and randomness of the full characters. Easier to remember as well.

 

[russ9898]

How upto date was the 10 install? there are a few quite serious security issues in RDP in 10 if you aren't on the latest updates as of around a month ago.

If they managed to brute force your password all bets are off - using a VPN to login will help there if you need remote access but even then I would make sure that multiple incorrect logins are black listing that IP and/or white list connections that are allowed.

Fully upto date, freshly downloaded from MS and loaded onto a USB stick and all updates listed on Windows Update installed prior to last nights hack.

Remove RDP on the router instantly. I noticed you have done this.

Don’t use RDP!

Can you suggest alternatives to RDP? Ive been unfortunate in many respects as the server isn't on 24/7, it ordinarily operates on demand using WOL however last night I had been sitting up watching a movie and I guess the login attempts prevented it from going to sleep like it ordinarily would.

Hey


I would have gone with 4 random words. Eg CheeseOverclockersRandomWords or FiftyFiveScrewHackers

They say it’s more secure as a complex password because of the length and randomness of the full characters. Easier to remember as well.

Good call, I might go down that route in all fairness, nothing wrong with having a change of password scheme.

 

[Rroff]

In a general sense these days password complexity doesn't help much really - as long as you don't use common passwords that will be first up in any dictionary attack. If they are able to attack with brute force they will crack even long and non-word passwords pretty quickly unless the system uses decent security measures itself and even in this day and age far too many systems only store a relatively short hash of a password with multiple possible matches that aren't the exact password sadly makes things like 2FA important in this day and age and often 2FA is implemented in such a way that it isn't convenient (or rather unnecessarily inconvenient due to poor design) so people don't bother!

 

[Mcnumpty2323]

I've gone with complex passwords, upper and lower case, symbols and numbers.

Ill change my WiFi as an extra security measure however I have reviewed my router logs and cannot see anything that concerns me in the logs. The IP's logged for the remote access attempts are external IP addresses.

cant hurt to change it anyway
if some one hacks the rouer then
logs can be deleted
or possibly altered/doctored to remove ip addresses

 

[L_D]

Did you have the RDP port (3389) open externally? If so is that intentional?

 

[PiKe]

If you really need to use RDP, at least use softether for an L2TP VPN with a preshared key!

 

[russ9898]

Did you have the RDP port (3389) open externally? If so is that intentional?

Previously, I had always had RDP open on an alternative port to 3389 however with only installing re-installing windows only a day or so before I literally hadn't gotten round to re-configuring it but yes, it was open externally in the short term, huge mistake on my part, I was naive to how insecure and how often RDP hack attempts occur. I have now changed the RDP port and have not configured any port forwarding to it, the only way I can remote desktop now is by logging in to my router hosted Open VPN server.

If you really need to use RDP, at least use softether for an L2TP VPN with a preshared key!

Whats the benefit of using softether on my machine rather than accessing my home network using my routers built in Open VPN server?

 

[PiKe]

Previously, I had always had RDP open on an alternative port to 3389 however with only installing re-installing windows only a day or so before I literally hadn't gotten round to re-configuring it but yes, it was open externally in the short term, huge mistake on my part, I was naive to how insecure and how often RDP hack attempts occur. I have now changed the RDP port and have not configured any port forwarding to it, the only way I can remote desktop now is by logging in to my router hosted Open VPN server.



Whats the benefit of using softether on my machine rather than accessing my home network using my routers built in Open VPN server?

As long as RDP isn't open to the world, use whichever VPN server you wish.

 

[Django x2]

youre lucky
you didnt wake up to everything encrypted
and a ransom demand
hope all your new user names and passwords
are complex ones?
including wifi and router ones
the person involved may be closer to you
than you think
if using wifi

I love your limericks, even though they don't always make sense.

There is nothing wrong with having RDP open (even 3389) through a firewall as long as you manage the rest behind it properly. So you can RDP to any firewall port and NAT to 3389 if easier, but even exposing 3389 isn't the end of the world. Disable (don't just rename) local admin passwords, have an RDP jump box which is then security tiered beyond that to your actual machines (i have a server core jump box which I land into via RDP and then RDP from there if required).

 

[andshrew]

There is nothing wrong with having RDP open (even 3389) through a firewall as long as you manage the rest behind it properly. So you can RDP to any firewall port and NAT to 3389 if easier, but even exposing 3389 isn't the end of the world. Disable (don't just rename) local admin passwords, have an RDP jump box which is then security tiered beyond that to your actual machines (i have a server core jump box which I land into via RDP and then RDP from there if required).

Having RDP broadly open to the Internet is just not worth the risk, especially given the ease at which VPN servers can be configured these days. The protocol is not designed to be exposed on the Internet, and it has a history of serious security vulnerabilities. If you don't want to VPN for whatever reason then you should at least restrict it so that only specific IPs can connect from the outside, or if you have the capacity set up RD Gateway and access it via that.

 

[El Pew]

I have now changed the RDP port

Changing the RDP port will be of minimal value, it will stop script kiddies who only try the defaults but it won't stop anyone who does port scans. For example, you can do an advanced search on shodan.io where service=RDP and port!=3389 to see everyone who's done the same trick.

You might want to update your firewall rules to only allow RDP access from trusted hosts or maybe private networks, as opposed to 'Any'.

The protocol is not designed to be exposed on the Internet, and it has a history of serious security vulnerabilities.

Also this.

 

[Vince]

Why would anybody waste a ton of time hacking in just to let you know that they have got in and to serve you a warning?

 

[Deleted member 77746]

Why would anybody waste a ton of time hacking in just to let you know that they have got in and to serve you a warning?

Not if it's all automatic.

 

[Vince]

Not if it's all automatic.

Im not sold, yea I guess you could easily do it but there is literally nothing to gain, people dont spend time doing these things with no gain. So we are saying then that there is some white knight going around giving out free pen tests?

 

[Deleted member 77746]

So we are saying then that there is some white knight going around giving out free pen tests?

This does happen yes.