{"id":630,"date":"2018-12-01T15:32:59","date_gmt":"2018-12-01T15:32:59","guid":{"rendered":"http:\/\/james-batchelor.com\/?p=630"},"modified":"2019-08-17T15:38:31","modified_gmt":"2019-08-17T15:38:31","slug":"taking-things-for-granted-the-rdp-attack","status":"publish","type":"post","link":"https:\/\/james-batchelor.com\/index.php\/2018\/12\/01\/taking-things-for-granted-the-rdp-attack\/","title":{"rendered":"Taking Things for Granted \u2013 The RDP Attack."},"content":{"rendered":"\n

Before we start, a story. When I created my first web server, I\u2019d found a copy of Windows NT Server 4.0, upgraded it to Service Pack 6a to get IIS enabled, opened port 80 on the router and viola, working webserver. This was 2001 and unfortunately my creation of a webserver coincided with the spread of the Code Red<\/a> virus, and it reached my server within days of it being online.<\/p>\n\n\n\n

Not knowing at the time, and thinking it was a one off,\nformatted the hard drive and completed the whole setup again. A day passed\nbefore the virus was back. Now with the knowledge of what was happening and wary\nof it happening again. I rebuilt the server and this time put the website\nbehind port 8080, this time the virus never returned.<\/p>\n\n\n\n

I thought to myself that this was security through\nobscurity, and with the victory over Code Red, was something I held onto for\nmany years.<\/p>\n\n\n\n

I applied this method when it came to opening RDP access to\nthe outside world, choosing a seemingly obscure port 8021 on each network\nsetup. However, I\u2019ve been dealt a wakeup call following what I\u2019ve just seen\u2026<\/p>\n\n\n\n\n\n\n\n

In my small flat I have the advantage \/ disadvantage\ndependant on opinion of having my network switch located below my TV in the\nliving room, allowing me to glance at network activity quite easily. Paying attention,\nthe port to the server and router uplink had been constantly transferring data,\nthis is not unusual as the is a webserver on it and with all WordPress based\nwebsites has many an attack attempts each day.<\/p>\n\n\n\n

What was different the last few days is that the transfer\nwas constant, instead of an organic flashing pattern, where you can almost visualise\neach web request and response, it was a steady stream, and lasted well beyond\nthe reason of any process I could think of.<\/p>\n\n\n\n

Curiosity overwhelming me, I remoted on to the server and\nlooked at the network tab of the resource monitor, only to be greeted by this:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Around 50 unknown address all connecting to terminal\nservices. After the initial shock I read more into and based on the network\nthroughput of each IP compared to my active RDP connection (Here is\n192.168.1.17) believe they were still at the brute force stage of logging in.<\/p>\n\n\n\n

Looking further this looked to be more of a botnet of\ncompromised machines, as hostnames comprise of generic consumer connections,\nAmazon EC2 and even a mail server.<\/p>\n\n\n\n

The forwarding port on the router was quickly closed and the\nconnections soon reduced<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

This is my self-lesson, security by obscurity is no longer\nan option. With exponentially more bandwidth and processing power available to\nthe world, not to mention the amount of devices online compared to my\nbeginnings in 2001, you can hide, but they will find you.<\/p>\n","protected":false},"excerpt":{"rendered":"

Before we start, a story. When I created my first web server, I\u2019d found a copy of Windows NT Server 4.0, upgraded it to Service Pack 6a to get IIS enabled, opened port 80 on the router and viola, working webserver. This was 2001 and unfortunately my creation of a webserver coincided with the spread … Continue reading “Taking Things for Granted \u2013 The RDP Attack.”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[212,5,97],"tags":[274,270,272,65,271,273],"class_list":["post-630","post","type-post","status-publish","format-standard","hentry","category-network","category-servers","category-windows","tag-2012-r2","tag-attack","tag-port-forwarding","tag-rdp","tag-termsvcs","tag-windows-server-2012"],"_links":{"self":[{"href":"https:\/\/james-batchelor.com\/index.php\/wp-json\/wp\/v2\/posts\/630","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/james-batchelor.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/james-batchelor.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/james-batchelor.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/james-batchelor.com\/index.php\/wp-json\/wp\/v2\/comments?post=630"}],"version-history":[{"count":1,"href":"https:\/\/james-batchelor.com\/index.php\/wp-json\/wp\/v2\/posts\/630\/revisions"}],"predecessor-version":[{"id":633,"href":"https:\/\/james-batchelor.com\/index.php\/wp-json\/wp\/v2\/posts\/630\/revisions\/633"}],"wp:attachment":[{"href":"https:\/\/james-batchelor.com\/index.php\/wp-json\/wp\/v2\/media?parent=630"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/james-batchelor.com\/index.php\/wp-json\/wp\/v2\/categories?post=630"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/james-batchelor.com\/index.php\/wp-json\/wp\/v2\/tags?post=630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}