I mean im not saying it doesn't but given there is a single result (this thread) in google on the following search term:
hacked.txt "secure your server idiot"
Im guessing it isn't some white knight and neither is it an automated script.
Windows 10 - Remote Desktop Hacked
- Thread starter russ9898
- Start date
I mean im not saying it doesn't but given there is a single result (this thread) in google on the following search term:
hacked.txt "secure your server idiot"
Im guessing it isn't some white knight and neither is it an automated script.
Even with a VPN in the mix you probably want to have some kind of sentinel software running along the lines of fail2ban (*nix only) there was RDPGuard for Windows but I'm a bit out of the loop on RDP as I avoid using it due to security concerns.
There used to be an organisation that auto scanned for and leaving a similar message for people running Wordpress deploys on default credentials so it does happen.
I made good money out of that
To be honest it also sounds like the op has just wacked new software on in an attempt to secure but it might even already be too late, if it was me and I was looking to mess with the op id be deploying keylogging software etc and I can guarantee little old avast wouldn't have a clue. Then when it settles in a few weeks / months im back again.I'm on multiple fixed at home with all kinds of "stuff" going on and have had the same IP's for years, still haven't had a chancer. Mind you my footprint would be a bit different and they would likely go for the management port on my firewall rather than try and circumvent it and I guess that is why Fortinet made recommendations for me to change some port options when we they were doing some work on it recently.
Last edited:
Soldato
- Joined
- 3 Jun 2005
- Posts
- 3,286
- Location
- The South
You've done a lot of the basics (disable default accounts; secure passwords; change default port etc), as well as placing it all behind a VPN; although you should also be enabling the Account Lockout Policy if using RDP - won't stop attacks but slows them down to some extent.
This is also a good shout and works well, although there is Wail2Ban (probably EOL) and IPBan (https://github.com/DigitalRuby/IPBan) that may be worth looking at if you're using RDP for personal use.
The text document has probably been put there manually; though I'll happily hold my hands up and say I have no idea how - compromised default login, some way of using the exposed port to then gain access to the filesystem.... I don't know. But I would put money on the fact that whoever did it, is indeed a white hat of sorts, and wanted to be helpful - I recently saw something similar with many Pi-hole instances exposed to the internet with no login credentials! Having a browse, you could see that most of them had rules set up along the lines of "SET A PASSWORD" or "SECURE THIS DEVICE". So there are good folk out there.
The attack has to be automated though - if you ever see the logs from things fired at port 3389, they commonly run alphabetically at 10 second intervals - and from past experience, often originate from China or India. Once it exhausts the common admin variations, it then rattles through male and female (typically Western) names - but at the time, there were often just first names - not sure they understand that most corporations will have more than one Sarah
Possibly one of the reasons our organisation has disallowed just first name accounts.