Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remote Desktop and Brute Force


  • Please log in to reply
2 replies to this topic

#1 neumannu47

neumannu47

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:50 AM

Posted 10 August 2015 - 02:01 PM

This morning, when I turned on my monitor, my login screen was up. XP would not accept my password for my user account or my administrator account. After I ran a utility to reset the administrator password, I was able to log in. Once I did, I found Advanced Mass Sender on my computer. It appears that the hackers got in by brute force through Remote Desktop (RDP). 

 

Am I correct that RDP has no defense against a brute force attack? There are options for servers, but this is a standalone machine running XP Pro. (The machine is scheduled for retire, but it's not there yet.) 

 

Based on what I can see, they got in at 6:20AM. I discovered the problem before 7:00AM. Since I had to leave for the office, I didn't get to spend much time investigating, but it looks like there are not any logs for Advanced Mass Sender. I don't care if it sent emails. My concern is what other information might have been stolen from the computer. Where would they get passwords?

 

The machine is off line until I can do more investigation. RDP will be disabled. I still need a way to access the machine from the office. TeamViewer is great, but I cannot install it on my office machine. That's why I used RDP. Is there a way to limit RDP to a certain IP address? What would you suggest?


Edited by hamluis, 10 August 2015 - 04:04 PM.
Moved from XP to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 cyberSAR

cyberSAR

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 10 August 2015 - 06:08 PM

Set an account lockout policy

By setting your computer to lock an account for a period of time after a number of incorrect guesses, you will help prevent hackers from using automated password guessing tools from gaining access to your system (this is known as a "brute-force" attack). To set an account lockout policy:

    Go to Start-->Programs-->Administrative Tools-->Local Security Policy
    Under Account Policies-->Account Lockout Policies, set values for all three options. 3 invalid attempts with 3 minute lockout durations are reasonable choices.

https://security.berkeley.edu/content/securing-remote-desktop-system-administrators



#3 neumannu47

neumannu47
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:50 AM

Posted 10 August 2015 - 09:08 PM

Account lockout duration: 3 minutes

Account lockout threshold: 3 invalid logon attempts

Reset account lockout counter after: 3 minutes

 

Right?

I wish I'd known this yesterday. It never occurred to me that there was no lockout on failed login attempts. 

 

The good news is that the Advanced Mass Sender log shows that the hackers loaded a test profile to send to three email addresses. All three failed. I'm not sure if I caught it at the right time or what. They changed the user account that I use to a guest account, changed its password, and changed the administrator password. I've had the computer up but not connected to the Internet for a couple of hours. I don't see any malicious activity or errors popping up, so a have to assume that they only damage they did was with AMS. Obviously I'm going to do a bunch of scans after I reconnect the Internet and update the files.

 

Is there any way to tell if they did any file transfers through RDP? They didn't get anything by email.

 

Thanks for the help!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users