Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

random new accounts on server and an installation


  • Please log in to reply
6 replies to this topic

#1 franmo

franmo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 24 March 2017 - 10:12 AM

we are a small accounting office (5 people) running a server with windows server 2008 r2.  we are using avg cloudcare as an anti virus on the server.  This morning I logged in on remote desktop and immediately noticed palemoon was installed on the server, and since i am the administrator I know that i did not install this.  I immediately look up the rdp connections and see 3 new accounts there, named fvm, hyd, and rpv.  They all had admin privileges and remote desktop privileges.  I used the rdp connection manager to kick them all off the network and then i disabled the accounts.  I uninstalled palemoon,  made sure avg was updated and its now running a full system scan.  

 

There are 3 admins on our server, there is myself and then the two gentleman we pay to fix our computers when I get in over my head.  As far as i can tell, none of us created these accounts, so how did they appear?  As far as i can tell, the only thing that was installed was palemoon.  Has anyone ever encountered something like this before?



BC AdBot (Login to Remove)

 


#2 QQQQ

QQQQ

  • Members
  • 386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 24 March 2017 - 10:32 AM

Yes I have, logged into a customers server and noticed someone was RPD'ed in, I asked the customer who it was and they didn't know. I booted the user off and changed their password, then logged on as that user. This person was using their server for sending spam and some of the files on the desktop were viruses/malware. Turns out that that port 3389 was open on the firewall, not sure who opened it but I closed it. I have seen people get access to servers and computers with this port open. Check to see if it open, you can try a shields up scan from here https://www.grc.com/x/ne.dll?bh0bkyd2 .



#3 franmo

franmo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 24 March 2017 - 10:59 AM

port 3389 is open on my firewall as well.  but we use remote desktop to work from home, so would closing this port stop us from logging in outside the office?



#4 QQQQ

QQQQ

  • Members
  • 386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 25 March 2017 - 09:00 AM

Yes closing the port would stop rdp from working. You need a vpn to connect to work, then rdp in. Or if you could allow access from just your IP address at home or where ever you are connecting from that would work too. Leaving 3389 open to the whole world is just asking for trouble, it's only a matter of time before someone gets in.



#5 Jagger280

Jagger280

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 31 March 2017 - 01:59 PM

You can also change the RDP port to some obcure number and still use remote desktop to access your system.

 

You simply type the ip address followed by the new port number.

 

eg: 231.222.197.6:36578



#6 technonymous

technonymous

  • Members
  • 2,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:26 AM

Posted 01 April 2017 - 12:30 AM

 RDP should never face the internet at all by itself. It's open for all kinds of attacks and known/unknown exploits to the server. It should be behind a more robust secured tunnel.

 

Server VPN role

RDP gateway role

OpenVPN (3rd party software)

Teamviewer (3rd party software)

SSH.



#7 TechUser01

TechUser01

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 21 May 2017 - 05:04 PM

Hello,

 

Is this still an issue?

 

Basically, you got brute forced.

 

Everyone is correct, you don't want RDP exposed to the internet, specifically port 3389 and 3390. We saw this issue at my work (we are an Managed Service Provider). We had this issue this past winter which subsided in about February with over 100 customers affected.

 

Basically, they had port 3389 wide open to the internet and the attackers used their external IP plus port 3389 to gain access. We sent a massive email about this and closed all RDP ports if they gave use permission. Then we had to modify their Password Policy is Group Policy Management.

 

 

Like suggested already, you want to shut down port 3389 completely, users will not be able to access the computer/server remotely but you can do port translation such as making the port high like 9989 or 10090 or something that limits their scans because when they scan the typically go from port 3389-3395. Best solution is to get a VPN. This will remove any chance of another attack from happening.

 

As for those accounts, the attackers will use any account name, we've seen: fbadmin, zz, funny, Jane, welcome.pin, Intel and a whole bunch more (the list was about 20 different names). From what we've seen, they didn't encrypt files like the ramping RansomWare attacks. They just made fake FaceBook accounts, fake Gmail accounts etc.. basically to scam others out of money and used our customers servers and/or PC to commit the crime.

 

I would:

 

1. Block RDP on port 3389

2. Get a VPN, if not possible then do port translation

3. Have all users change passwords to 12 characters or more

4. Disable all fake accounts in Active Directory or Local Users and change the password on all fake accounts. Check the box that the user cannot change the password. (Don't delete the account, odd as it sounds but if they gain access again, they'll recreate it)

5. In the C:Users folder, delete the fake account's folder

6. Check the Windows Registry. They like to attach their backdoor to the sethc.exe (sticky keys) at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe. We've seen stuff from Russian and Chinese characters. Delete any odd keys, again ours had Russian text.

 

If it's confirmed it's there, search for the file, it will be hidden and in the Winrar package that is most likely encrypted. Just delete that file and empty the trash.

 

7. Scan ALL affected computers for infections

 

This should help limit issues. 


Edited by TechUser01, 21 May 2017 - 05:08 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users