Dodgy IP attempting RDP on me...

Discussion in 'Networking, Telephony & Internet' started by unwritt3n, Mar 12, 2016.

  1. unwritt3n

    unwritt3n Member

    Joined:
    Oct 26, 2006
    Messages:
    1,400
    Location:
    Melbourne
    So I checked my router logs, and found a particular IP address is trying to ping me.
    They're trying to connect via 3389 (RDP).
    RDP is disabled on my computer, and they aren't able to get through. I've also checked local logs etc.

    It's coming from 118.193.165.34

    A bit of recon...

    Continent: Asia (AS)
    Country: China (CN)
    Capital: Beijing
    State: Shanghai
    City Location: Shanghai
    ISP: Anchnet
    Organization: Shanghai Anchang Network Security Technology Co.,L
    AS Number: AS58879 Shanghai Anchang Network Security Technology Co.,Ltd.

    Nmap scan report for 118.193.165.34
    Host is up (0.47s latency).
    Not shown: 991 closed ports
    PORT STATE SERVICE
    21/tcp open ftp
    80/tcp open http
    135/tcp open msrpc
    445/tcp open microsoft-ds
    1026/tcp open LSA-or-nterm
    1040/tcp open netsaint
    1041/tcp open danf-ak2
    3306/tcp open mysql
    3389/tcp open ms-wbt-server

    can even get a RDP session on a 2003 server from it.

    Any wizards out there able to find out more/assist. I've put a further blacklist on it now.
     
  2. Pepito

    Pepito Member

    Joined:
    Apr 4, 2003
    Messages:
    963
    Location:
    Melbourne
    Cool :)



    [​IMG]



    ==
     
  3. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    67,342
    Location:
    brisbane
    If only you knew how many there are out there.....
     
  4. karnophage

    karnophage Member

    Joined:
    Aug 29, 2011
    Messages:
    428
    Location:
    6112
    Not a lot you can do.

    You can change the RDP listening port via regedit if you want though.

    Obviously you've got a decent firewall between you and them, yes?
     
  5. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,761
    Location:
    NSW
    It's likely just an infected machine doing port scans, trying to find and infect other machines.

    If the IP was from a hacker, do you really think they would leave so many services (including RDP from an 03 server :wired:) open to the internet (unless it's a honeypot)?
     
  6. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    45,349
    Location:
    Brisbane
    Happens thousands of times per day to most people. Worse for commercial connections (our 100mbit fibre connection at work, for example).

    Welcome to the Internet.
     
  7. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,964
    Location:
    Pooraka Maccas drivethrough
    This isn't much of a mitigation, the botnets still try RDP logins on random, higher port numbers.
     
  8. IKT

    IKT Member

    Joined:
    Feb 4, 2007
    Messages:
    4,277
    significantly less though. Changing the SSH port is one of the first things I do, it just reduces the amount of bots attempting to get in by a massive amount.
     
  9. glimmerman

    glimmerman Member

    Joined:
    Nov 3, 2005
    Messages:
    2,204
    Location:
    Perth
    lol,

    this literally happens all he time, every second of the day. On top of that, as soon as an open RDP port is found, you will find a lot of "audit fail" logs with random usernames/passwords as they try and brute force their way in.

    moral of the story: don't have RDP open on the internet.
     
  10. Eddyah

    Eddyah Member

    Joined:
    Aug 12, 2005
    Messages:
    1,649
    Really shouldn't have any port open and exposed to the internet unless your gateway has the security to support it (smart analysis of packets for multiple failed connections and then blacklist IP addresses).

    The only ports I have open are my VPN and HTTP/S ports.

    Never believed in switching default ports to other values. It's a dumb security measure which gives you headaches in the long run when trying to remember ports
     
  11. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,964
    Location:
    Pooraka Maccas drivethrough
    Not really, even at 2-3 port tries a second they'll work through all the ephemeral ports in under half a day.
     
  12. wwwww

    wwwww Member

    Joined:
    Aug 22, 2005
    Messages:
    6,385
    Location:
    Bangkok
    We used to get this ALOT, change your RDP port and create a small app that listens on 3389, accepts connections but doesn't reply and it'll decrease dramatically (though you'll still get some).
     
  13. danyell

    danyell Member

    Joined:
    Jan 20, 2003
    Messages:
    1,881
    Location:
    Kilsyth, 3137
    OP, consider setting up an SSH tunnel for your rdp connection, or VPN (not pptp) that you connect to and then access your rdp.

    I'm running the former and the app I use fortunately auto-connects to SSH and then the rdp connection. Works nice. (Jump Desktop)
     
  14. ktmrida

    ktmrida Member

    Joined:
    May 3, 2010
    Messages:
    593
    Location:
    Australia
    Ive always been against opening RDP to the world, always used ssh or a vpn

    except with 2 factor now, its a little safer

    look at Duo (http://duosecurity.com/), the free account, you can download a 2FA client to your PC so each time you RDP in, your phone gets a one time code - provides an extra layer
     
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    45,349
    Location:
    Brisbane
    I'm no fan of "security through obscurity", but I will agree that objectively you will see far fewer attempts on non-standard ports.

    That doesn't mitigate the need for all your regular "good security things" like strong passwords that change frequently, or better yet key access only.

    Port knocking is also an interesting trick (unsure if it works on Windows systems - I've used it on Linux and BSD servers). You set up a listening "knockd" service that waits until a certain combination of ports of your choosing are hit in a particular order, and then they'll open up another port to just the IP that's knocking. Not as secure as a VPN, but not a terrible way to hide your exposed ports.
     
  16. IKT

    IKT Member

    Joined:
    Feb 4, 2007
    Messages:
    4,277
    Bots don't scan entire port ranges for open hosts. They're literally just pinging every IP on the internet on a specific port.

    And by far fewer I've actually had zero.

    By going from port 22 on SSH where I was getting 1 IP banned every few minutes to a port in the 9000 range I've not had 1 fail2ban email come through saying it banned an IP for SSH auth attempts.
     
  17. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,964
    Location:
    Pooraka Maccas drivethrough
    so I'm imagining all those logged RDP and SSH login attempts on ports 5000-65535 then?

    edit: I'm guessing you don't own/aren't responsible for many IP addresses
     
    Last edited: Mar 14, 2016
  18. IKT

    IKT Member

    Joined:
    Feb 4, 2007
    Messages:
    4,277
    As I said I haven't had 1 bot attempt to auth on an ssh port outside of port 22 or 1 attempt for a bot to login when I changed the FTP port to a much higher port. It just stops and that's on a server that's online 24x7 the last 10 years.
     
  19. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,428
    Location:
    Brisbane
    basically this.

    re: RDP on the web. That entirely up to your level of risk.

    If you have a sensible password/lockout policy - who cares.
     
  20. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,964
    Location:
    Pooraka Maccas drivethrough
    If you truly have not had a single SSH login attempt on a random port for 10 years, then you should probably go and buy a lottery ticket. The hail mary botnet was running from 2009-2013ish, doing exactly that, and there are other ones now doing the same thing.
     

Share This Page

Advertisement: