Windows 10 - Remote Desktop Hacked

[russ9898]

Hello OCUK,

I've woken up this morning to a notepad text file on the desktop of my home server named 'hacked.txt' which was placed there a little after 2am this morning and simply says 'secure your server idiot'....fair comment, they've got in, I cant argue.

Coincidentally, I formatted the Windows drive and completed a fresh Windows 10 install only a couple of days ago and have installed the bare minimum in respect of software all of which is paid/freeware (so no cracks/exploits to worry about). Having reviewed the event log, it appears that for several hours a script was attempting to gain access to my system via RDP generating multiple 'Audit Failures' trying to login in with multiple usernames SuperUser, admin, Rodgiro, Sara etc etc.

Previously i'll admit to being a little lapse on security, relying on Windows Defender. In attempt to re-secure my system I've done the following:

• Installed Malware bytes, Avast Antivirus & Zone Alarm Firewall - run scans with all which have come up clear. Looks like my hacker might have just been experimenting?
• Removed all port forwards to my server from my router with the exception of one for Plex Media Server
• Setup an Open VPN server on my router to access my server remotely.
• Changed my RDP port from the default
• Changed system usernames and passwords

Are there any other steps you should suggest I take to further secure my system from hack attempts?

Many thanks

Russ

 

[russ9898]

youre lucky
you didnt wake up to everything encrypted
and a ransom demand
hope all your new user names and passwords
are complex ones?
including wifi and router ones
the person involved may be closer to you
than you think
if using wifi

I've gone with complex passwords, upper and lower case, symbols and numbers.

Ill change my WiFi as an extra security measure however I have reviewed my router logs and cannot see anything that concerns me in the logs. The IP's logged for the remote access attempts are external IP addresses.

 

[russ9898]

How upto date was the 10 install? there are a few quite serious security issues in RDP in 10 if you aren't on the latest updates as of around a month ago.

If they managed to brute force your password all bets are off - using a VPN to login will help there if you need remote access but even then I would make sure that multiple incorrect logins are black listing that IP and/or white list connections that are allowed.

Fully upto date, freshly downloaded from MS and loaded onto a USB stick and all updates listed on Windows Update installed prior to last nights hack.

Remove RDP on the router instantly. I noticed you have done this.

Don’t use RDP!

Can you suggest alternatives to RDP? Ive been unfortunate in many respects as the server isn't on 24/7, it ordinarily operates on demand using WOL however last night I had been sitting up watching a movie and I guess the login attempts prevented it from going to sleep like it ordinarily would.

Hey


I would have gone with 4 random words. Eg CheeseOverclockersRandomWords or FiftyFiveScrewHackers

They say it’s more secure as a complex password because of the length and randomness of the full characters. Easier to remember as well.

Good call, I might go down that route in all fairness, nothing wrong with having a change of password scheme.

 

[russ9898]

Did you have the RDP port (3389) open externally? If so is that intentional?

Previously, I had always had RDP open on an alternative port to 3389 however with only installing re-installing windows only a day or so before I literally hadn't gotten round to re-configuring it but yes, it was open externally in the short term, huge mistake on my part, I was naive to how insecure and how often RDP hack attempts occur. I have now changed the RDP port and have not configured any port forwarding to it, the only way I can remote desktop now is by logging in to my router hosted Open VPN server.

If you really need to use RDP, at least use softether for an L2TP VPN with a preshared key!

Whats the benefit of using softether on my machine rather than accessing my home network using my routers built in Open VPN server?