Discovered that some nefarious hacker is trying a brute force Remote Desktop attack to a Windows Server belonging to a customer of ours. They are working their way though various username and password combinations in the hope that one of them will work. Page 15 We warrant this product to be free from defects in material and workmanship under normal use for a ninety-day period from the original date of purchase from an authorized ATAK dealer. Should you be missing any of the included accessories, please contact the Customer Support Center to secure a replacement. A Homeland Security Intelligence (HSI) Special Agent/Special Response Team (SRT) member said in support of S&T’s focus on ATAK training, 'The better the training, the more effective the tool can be for the operator.' S&T is taking a lead role in this vital area by coordinating a two-part training program. Jun 14, 2016 Many popular remote apps, including TeamViewer, have an option to run the app instead of installing. So if you want to remote control for just one time it’s wise to just run the app.
Discovered that some nefarious hacker is trying a brute force Remote Desktop attack to a Windows Server belonging to a customer of ours. They are working their way though various username and password combinations in the hope that one of them will work. Here’s what we found, and how we resolved it.
The Remote Desktop Attack Scenario
While onsite at a customer location we reviewed the server Event Logs and discovered multiple login attempts to the server.
Here’s what we saw under the Security section of the Windows Event Logs:
See all those Audit Failures, and look at the times; there’s 11 login attempts in two minutes. We saw over 100 attempts in a few hours of that morning.
That many attempts in that short period of time means that this is likely an automated bot looking for open RDP ports (all connections are trying port 3389, the default RDP port). This is commonly referred to as a Brute Force attack. The goal is to try as many username/password combinations as possible in the hope that one will work.
Open one of the audit failure records and you see login names like: staff, admin, fronttest, server, administrator, reception, reception2, etc. It’s obvious this isn’t a legitimate request.
Secure Your Server
If a hacker manages to figure out your credentials and establish a Remote Desktop login to your server then you no longer own the server. They can install malicious software and potentially lock you out of the administration. This is a very bad scenario, you must take steps to ensure it never happens.
Here’s three server options to beef up security and help fend off these kinds of Remote Desktop attacks. You should probably do them all, we have.
1 – Disable and do not use Admin or Administrator as a server login
It is well documented to use something other than the default Administrator account on a server. Microsoft tells you how to disable it. The reason you want to disable it is that if hackers know the username all they have to focus on is guessing the password.
Set up a new administrator account with a different cryptic name and now they have to guess both the username and the password – much more difficult. Make sure your domain administrator account is also something different.
2 – Change the RDP Port to something other than 3389
This may or may not help you, as automated bots may be looking for any open port numbers, however it is easy to change the RDP port. Now when you connect remotely you just need to add the port number after the name or IP address, such as: 192.168.168.168:3391.
(Make sure you change the Windows Firewall and your router fowarding table to match the new port number)
3 – Block access via Windows Server Firewall
The Windows Server firewall is good, and very granular. Set up an Inbound Firewall rule on the server and call it something like RDP Hacking Block. Under the scope tab you can add the IP addresses that you want to deny access to. You should be able to find these IP addresses from the logs of your router.
Secure Your Router
If you can, try to block these incoming connections right at the edge of your network. Use your router firewall to block incoming IP’s.
Most routers will have a firewall capabilities these days. Using the logs, find inbound IP addresses using port 3389 and record them. Now deny those IP addresses in the router firewall.
The log may look something like this:
Conclusion
These days security is more important than ever, and attacks come at you from many angles.
Focus on security up front, and always be watching and monitoring to catch potential issues early.
Other Related Information:
AntiMalware is a rogue antispyware program from same family as Active Security and Protection System. When the rogue is installed it will register itself in the Windows registry to run automatically every time, when your computer starts. Also the rogue software during installation, detects and attempts to uninstall antvirus/antispyware software (MalwareBytes Antimalware, NOD32, Avast, etc).
Once running, AntiMalware will perform a scan of your computer and list a variety of infections that will not be fixed unless you first purchase the scareware. All of these infections are fake, so you can safely ignore them.
While AntiMalware is running, you will be shown nag screens, fake security alerts, notifications from Windows task bar and other pop-ups. It will state that InternetExplorer is infected, your computer is being attacked from remote host, your computer is infected by a lot of viruses or that activity loggers are detected. Some of the alerts:
AntiMalware Registration required There were found found 9 dangerous viruses on your computer. It is strongly recommended to remove them ASAP.
Security Alert User`s activity loggers detected! It`s strongly recommended to remove threats right now!
AntiMalware network security alert Network attack rejected! Your computer is being attacked from remote host. Attack has been classified as Remote code execution attempt.
However, all of these warnings are a fake. You should ignore all the warnings that the rogue gives you and remove it from your computer. Use these AntiMalware removal instructions below in order to remove this infection and any associated malware from your computer for free.
Use the following instructions to remove AntiMalware (Uninstall instructions)
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
May 02, 2014 This is a tutorial on how to crack WEP with CommView and Aircrack-ng using Windows 7. How to crack wep in windows with commview for wifi - Duration: 15:20. HowToWifi 36,890 views. Capture and Crack WPA Handshake using Aircrack - WiFi Security with Kali Linux. Commview for wifi wep crack tutorial.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Select Perform Quick Scan, then click Scan, it will start scanning your computer for AntiMalware infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start AntiMalware removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
AntiMalware creates the following files and folders