RDP Hacked

FlashSA

Executive Member
Joined
Oct 19, 2007
Messages
7,970
So I unlocked my office PC this morning. Immediate spidey tingling. Saw Windows programs open, Symantec asking for a reboot to effect changes and a Chrome tab with Capitec Bank online banking open.

Jumped into Chrome history and 3:15am there were 2 bitcoin site entries. Confirmed that a hacker must have cracked my pc password, entered into our network via the RDP routing (I had changed port to 3390 so they must have portscanned to get the open RDP port), uninstalled Symantec and installed some bitcoin mining software. I also noticed a windows update installed by picking up a restore point created in system restore.

I checked both my Google Drive and Dopbox app's and there were no file changes uploaded so luckily my document stores seem untouched.

I am so upset and miffed by this. I immediately yanked the PC off the network, wiped and re-installed windows and am busy pulling my stuff down from the cloud. I have also closed the RDP ports on the router This feels as big a violation as a house burglary. Sucks!
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
33,768
Is this an "office PC" like at a corporate or do you work from home and it's that kind of office PC?

And in either case why is RDP open directly to the internet? And more so why only with a password?
 

FlashSA

Executive Member
Joined
Oct 19, 2007
Messages
7,970
Is this an "office PC" like at a corporate or do you work from home and it's that kind of office PC?

And in either case why is RDP open directly to the internet? And more so why only with a password?
We are a family small business. PC is at the office premises. I had it open so that I could occasionally connect to my office PC from home.
 

ActivateD

Expert Member
Joined
Jun 7, 2004
Messages
1,342
Sorry for your experience but please make sure that you change all your passwords on all your sensitive accounts. I presume they "guessed" your windows password? so please ensure that your new windows password is strong as well. As DrJohnZoidberg has said never expose RDP to the internet rather put it behind a VPN. How many other devices are on the network? have you checked them as well for possible breach?
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
33,768
We are a family small business. PC is at the office premises. I had it open so that I could occasionally connect to my office PC from home.
Then at the very least you need to implement Two Factor Authenication (I believe Windows 10 supports this with a Microsoft Account now?)

Or though a VPN or Reverse Proxy setup.

Also...how bad was your password? And in how many places did you use it? Because that answer will 100% leave the responsibility at your door as unfortunate as it is getting hacked.
 

Anthro

Expert Member
Joined
Jun 13, 2006
Messages
2,369
@FlashSA check that password against this list.
https://haveibeenpwned.com/Passwords
We have quite a few machines that are public facing, one of which was compromised in same manner, it was then used to crack other machines passwords and SMTP spam was also sent via the IP
The issue in my case was that the password complexity was not set..
Good luck to you
 

PsyWulf

Executive Member
Joined
Nov 22, 2006
Messages
8,510
Ye, RDP should never be open directly to the world - if you really need it outside your home always go through a VPN.
Or a SSH tunnel,many RD Managers can connect automatically to SSH before initiating an RDP session
 

FlashSA

Executive Member
Joined
Oct 19, 2007
Messages
7,970
@FlashSA check that password against this list.
https://haveibeenpwned.com/Passwords
We have quite a few machines that are public facing, one of which was compromised in same manner, it was then used to crack other machines passwords and SMTP spam was also sent via the IP
The issue in my case was that the password complexity was not set..
Good luck to you
Yip, it's in there. /tears!

I have spent over an hour changing all mail server passwords etc - anything that was stored in my dropbox has been changed in case the cretin screengrabbed passwords.

All my personal website accounts have 2FA activated so I am fine there, but as I admin the business IT infrastructure and mail server, I had all those details stored in a spreadsheet.

Valuable lesson learnt here and it could have been a hell of a lot worse
 

FaSMaN

Expert Member
Joined
Mar 24, 2010
Messages
1,518
If your only going to use the server in South Africa only, I highly recommend installing a firewall that supports Geo-IP blocking (IPFire or PFSense) and blocking all regions other than South Africa aswell, IPFire also has a really good intrusion detection I recommend using.
 
  • Like
Reactions: OCP

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
33,768
If your only going to use the server in South Africa only, I highly recommend installing a firewall that supports Geo-IP blocking (IPFire or PFSense) and blocking all regions other than South Africa aswell, IPFire also has a really good intrusion detection I recommend using.
Could probably achieve this with a hosts file as well if nothing else.
 

FlashSA

Executive Member
Joined
Oct 19, 2007
Messages
7,970
So I learnt something else today: all those passwords I was happy to let Google Chrome store... Turns out you can view all of them if you have the PC password or the phone code (for mobile Chrome).

90min and countless website password changes later, I'm slowly making my life secure again.

FFS, what an experience this was. Thankfully, as far as I can tell, no other network pc's were compromised. From what I saw when I unlocked my PC this morning, it's almost like the attacker did not finish his/her mission. It's strange that they would leave Windows Add/Remove programs open and the Symantec prompt asking for a reboot. One would think that, to successfully get my PC mining, they would close all traces of them having been inside my PC...
 

Dan C

Honorary Master
Joined
Nov 21, 2005
Messages
22,253
So I learnt something else today: all those passwords I was happy to let Google Chrome store... Turns out you can view all of them if you have the PC password or the phone code (for mobile Chrome).

90min and countless website password changes later, I'm slowly making my life secure again.

FFS, what an experience this was. Thankfully, as far as I can tell, no other network pc's were compromised. From what I saw when I unlocked my PC this morning, it's almost like the attacker did not finish his/her mission. It's strange that they would leave Windows Add/Remove programs open and the Symantec prompt asking for a reboot. One would think that, to successfully get my PC mining, they would close all traces of them having been inside my PC...
Got all my passwords stored by Chrome and I don't even have a windows password... Only password Chrome doesn't save is my online banking login.
 

Speedster

Executive Member
Joined
May 2, 2006
Messages
7,671
So I learnt something else today: all those passwords I was happy to let Google Chrome store... Turns out you can view all of them if you have the PC password or the phone code (for mobile Chrome).

90min and countless website password changes later, I'm slowly making my life secure again.

FFS, what an experience this was. Thankfully, as far as I can tell, no other network pc's were compromised. From what I saw when I unlocked my PC this morning, it's almost like the attacker did not finish his/her mission. It's strange that they would leave Windows Add/Remove programs open and the Symantec prompt asking for a reboot. One would think that, to successfully get my PC mining, they would close all traces of them having been inside my PC...
Could you expand on this a bit? Trying to access passwords.google.com on my phone requires me to enter my Google credentials. Is there another way to access the passwords?
 

FlashSA

Executive Member
Joined
Oct 19, 2007
Messages
7,970
Could you expand on this a bit? Trying to access passwords.google.com on my phone requires me to enter my Google credentials. Is there another way to access the passwords?
Chrome>Settings>Passwords
There is an eye icon next to each saved item
 

garp

Executive Member
Joined
Aug 2, 2004
Messages
7,258
FWIW apparently RDP is surprisingly secure for a MS thing, although obviously nothing is secure if your password is exposed or easily guessable.
 
Top