RDP Hacked

F

FlashSA

Honorary Master
Joined
Oct 19, 2007
Messages
10,778
Reaction score
2,884
So I unlocked my office PC this morning. Immediate spidey tingling. Saw Windows programs open, Symantec asking for a reboot to effect changes and a Chrome tab with Capitec Bank online banking open.

Jumped into Chrome history and 3:15am there were 2 bitcoin site entries. Confirmed that a hacker must have cracked my pc password, entered into our network via the RDP routing (I had changed port to 3390 so they must have portscanned to get the open RDP port), uninstalled Symantec and installed some bitcoin mining software. I also noticed a windows update installed by picking up a restore point created in system restore.

I checked both my Google Drive and Dopbox app's and there were no file changes uploaded so luckily my document stores seem untouched.

I am so upset and miffed by this. I immediately yanked the PC off the network, wiped and re-installed windows and am busy pulling my stuff down from the cloud. I have also closed the RDP ports on the router This feels as big a violation as a house burglary. Sucks!
 
Is this an "office PC" like at a corporate or do you work from home and it's that kind of office PC?

And in either case why is RDP open directly to the internet? And more so why only with a password?
 
SauRoNZA said:
Is this an "office PC" like at a corporate or do you work from home and it's that kind of office PC?

And in either case why is RDP open directly to the internet? And more so why only with a password?
Click to expand...
We are a family small business. PC is at the office premises. I had it open so that I could occasionally connect to my office PC from home.
 
Sorry for your experience but please make sure that you change all your passwords on all your sensitive accounts. I presume they "guessed" your windows password? so please ensure that your new windows password is strong as well. As DrJohnZoidberg has said never expose RDP to the internet rather put it behind a VPN. How many other devices are on the network? have you checked them as well for possible breach?
 
FlashSA said:
We are a family small business. PC is at the office premises. I had it open so that I could occasionally connect to my office PC from home.
Click to expand...

Then at the very least you need to implement Two Factor Authenication (I believe Windows 10 supports this with a Microsoft Account now?)

Or though a VPN or Reverse Proxy setup.

Also...how bad was your password? And in how many places did you use it? Because that answer will 100% leave the responsibility at your door as unfortunate as it is getting hacked.
 
@FlashSA check that password against this list.
https://haveibeenpwned.com/Passwords
We have quite a few machines that are public facing, one of which was compromised in same manner, it was then used to crack other machines passwords and SMTP spam was also sent via the IP
The issue in my case was that the password complexity was not set..
Good luck to you
 
DrJohnZoidberg said:
Ye, RDP should never be open directly to the world - if you really need it outside your home always go through a VPN.
Click to expand...
Or a SSH tunnel,many RD Managers can connect automatically to SSH before initiating an RDP session
 
Anthro said:
@FlashSA check that password against this list.
https://haveibeenpwned.com/Passwords
We have quite a few machines that are public facing, one of which was compromised in same manner, it was then used to crack other machines passwords and SMTP spam was also sent via the IP
The issue in my case was that the password complexity was not set..
Good luck to you
Click to expand...
Yip, it's in there. /tears!

I have spent over an hour changing all mail server passwords etc - anything that was stored in my dropbox has been changed in case the cretin screengrabbed passwords.

All my personal website accounts have 2FA activated so I am fine there, but as I admin the business IT infrastructure and mail server, I had all those details stored in a spreadsheet.

Valuable lesson learnt here and it could have been a hell of a lot worse
 
If your only going to use the server in South Africa only, I highly recommend installing a firewall that supports Geo-IP blocking (IPFire or PFSense) and blocking all regions other than South Africa aswell, IPFire also has a really good intrusion detection I recommend using.
 
  • Like
Reactions: OCP
FaSMaN said:
If your only going to use the server in South Africa only, I highly recommend installing a firewall that supports Geo-IP blocking (IPFire or PFSense) and blocking all regions other than South Africa aswell, IPFire also has a really good intrusion detection I recommend using.
Click to expand...

Could probably achieve this with a hosts file as well if nothing else.
 
So I learnt something else today: all those passwords I was happy to let Google Chrome store... Turns out you can view all of them if you have the PC password or the phone code (for mobile Chrome).

90min and countless website password changes later, I'm slowly making my life secure again.

FFS, what an experience this was. Thankfully, as far as I can tell, no other network pc's were compromised. From what I saw when I unlocked my PC this morning, it's almost like the attacker did not finish his/her mission. It's strange that they would leave Windows Add/Remove programs open and the Symantec prompt asking for a reboot. One would think that, to successfully get my PC mining, they would close all traces of them having been inside my PC...
 
FlashSA said:
So I learnt something else today: all those passwords I was happy to let Google Chrome store... Turns out you can view all of them if you have the PC password or the phone code (for mobile Chrome).

90min and countless website password changes later, I'm slowly making my life secure again.

FFS, what an experience this was. Thankfully, as far as I can tell, no other network pc's were compromised. From what I saw when I unlocked my PC this morning, it's almost like the attacker did not finish his/her mission. It's strange that they would leave Windows Add/Remove programs open and the Symantec prompt asking for a reboot. One would think that, to successfully get my PC mining, they would close all traces of them having been inside my PC...
Click to expand...
Got all my passwords stored by Chrome and I don't even have a windows password... Only password Chrome doesn't save is my online banking login.
 
FlashSA said:
So I learnt something else today: all those passwords I was happy to let Google Chrome store... Turns out you can view all of them if you have the PC password or the phone code (for mobile Chrome).

90min and countless website password changes later, I'm slowly making my life secure again.

FFS, what an experience this was. Thankfully, as far as I can tell, no other network pc's were compromised. From what I saw when I unlocked my PC this morning, it's almost like the attacker did not finish his/her mission. It's strange that they would leave Windows Add/Remove programs open and the Symantec prompt asking for a reboot. One would think that, to successfully get my PC mining, they would close all traces of them having been inside my PC...
Click to expand...
Could you expand on this a bit? Trying to access passwords.google.com on my phone requires me to enter my Google credentials. Is there another way to access the passwords?
 
Speedster said:
Could you expand on this a bit? Trying to access passwords.google.com on my phone requires me to enter my Google credentials. Is there another way to access the passwords?
Click to expand...
Chrome>Settings>Passwords
There is an eye icon next to each saved item
 
FWIW apparently RDP is surprisingly secure for a MS thing, although obviously nothing is secure if your password is exposed or easily guessable.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X