Jump to content

BotNet


Alexander_Kaz
 Share

Recommended Posts

  • Administrators

Unfortunately the columns are too narrow to display the whole record. Most likely the machine is under RDP brute-force attacks. We recommend security RDP, e.g. by using VPN for connections from outside and using RDP only within LAN. If that's not an option, use 2FA for RDP login, set up the account lockout policy, restrict RDP access to specific IP addresses or IP range/subnet on a firewall.

Link to comment
Share on other sites

14 minutes ago, Marcos said:

Unfortunately the columns are too narrow to display the whole record. Most likely the machine is under RDP brute-force attacks. We recommend security RDP, e.g. by using VPN for connections from outside and using RDP only within LAN. If that's not an option, use 2FA for RDP login, set up the account lockout policy, restrict RDP access to specific IP addresses or IP range/subnet on a firewall.

Yes, this attack by RDP.  Is there any way to find this worm? because he probably is in the system. Or is it just messages and the attack is interrupted?

 

Link to comment
Share on other sites

  • Administrators

Attackers from outside perform brute-force attacks on the machine. The attacks were blocked by ESET. However, we'd recommend taking the appropriate measures as soon as possible and not give the attackers a chance to guess the right password.

Link to comment
Share on other sites

3 minutes ago, Marcos said:

Attackers from outside perform brute-force attacks on the machine. The attacks were blocked by ESET. However, we'd recommend taking the appropriate measures as soon as possible and not give the attackers a chance to guess the right password.

Of course, the password has been changed. Also port 3389 was replaced with another. This is enough for a while. Then again messages appear that the attack is on and is already on the new port.

Link to comment
Share on other sites

  • Administrators

Changing the default port and password is not enough to prevent attackers from guessing the password unless the password is complex enough.

Link to comment
Share on other sites

Quick question. Do you have a more in depth explanation about how these RDP brute forces are handled? We're seeing them as well and ESET reports them as 'blocked'. However, the same IPs keep popping up. How does the blocking mechanism work?

Thanks in advance!

Link to comment
Share on other sites

  • Administrators

I recall that a particular IP address is temporarily blocked for 1 one or until a computer restart. You should block RDP on the gateway, not on workstations.

Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, K.O. said:

Quick question. Do you have a more in depth explanation about how these RDP brute forces are handled? We're seeing them as well and ESET reports them as 'blocked'. However, the same IPs keep popping up. How does the blocking mechanism work?

Thanks in advance!

Allow RDP only to specific IP Addresses and then the attempts should stop , because he won't be able to connect again because of your firewall , you can also edit the group policy for account lockout , and make harder password so it will be harder to bruteforce or will take very long time to.

Or as Marcos said , VPN to the network and RDP set to LAN only.

Link to comment
Share on other sites

  • ESET Moderators

Hello,

ESET has published several articles about the BlueKeep (CVE-2019-0708) vulnerability, which an exploit targeting RDP on older/unpatched versions of Windows.  You can read them on ESET's WeLiveSecurity blog at:

We may have some additional articles about RDP security in the future (depending, of course, on what happens in the future with things like BlueKeep).

Regards.

Aryeh Goretsky

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...