Search the Community
Showing results for tags 'rdp'.
I'm getting the RDP port blocked in my alerts. I don't quite understand how that could be occuring, because I have a separate firewall on my network gateway that does not let RDP 3389 through. How could this be blocking random IP addresses if they shouldn't be able to get to the computer? I see its showing svchost.exe as the program, so could this be something internal to my network? Trying to understand the source of the blocked ip, which is in fact an external ip address. Thanks, Brian
Last week our network was hacked into by an unknown party. Our firewall was open for remote connections to allow a firm that is performing major upgrades to our Microsoft Dynamics ERP software. Prior to this project, I set up a VPN connection on our Sonicwall firewall device and both myself and the local office of the firm doing the upgrades were able to log in successfully. However, the firm doing the upgrades has a team doing much of the work from India. The folks in India insisted they were unable to connect via the VPN and had to use a much less secure route. Yes, this should have been a major red flag, and I was very reluctant to allow this and suggested that I send them copied of the VMs and they work on them there, and return them when complete. Nope, we can't do that, so yes, the fool I am, gave in and allowed unsecured access. While I can't prove who logged into system, I can tell you that they used credentials that only myself, and the above firm knew. You decide ! Last Tuesday, one of the office staff tells me at 6 am that she can't get into her exchange mail and I go to log into my system to take a look and would get disconnected after a few seconds, over and over. I finally log in as the administrator and see someone logged in as me from a client that was not ours. I quickly ran to the server room and pulled the internet feed. I found they had left open multiple windows on a couple servers running commands and changing firewall rules. I also found they installed an IP scanner on one desktop and had it open as well. They successfully installed ransomware which wiped out a couple of our servers that I use for backups. Thankfully, they didn't get to all of the backups and tapes, and I was able to get us back up in a day or so. One thing that I found disturbing (well, even more disturbing) was that they uninstalled our Malwarebytes Endpoint agents, allowing the damage to be done. So, here is my question, can the Malwarebytes protection be made uninstallable or unable to be disabled by anyone, even administrators without a unique password, or special code specific to this purpose only? If not, maybe this is something that can be looked at.
An intruder gained access to my PC through remote desktop, disabled malwarebytes, then password protected malwarebytes so that I cannot re-enable the program now. I have since closed the ports on my firewall, turned off rdp, reset my password, run over 10 complete virus scans using several different scanning engines. I have removed the user profiles that he created and deleted the user account folders that he created. I have uninstalled malwarebytes and removed all registry keys and folders relating to malwarebytes. After re-installing malwarebytes, I cannot access any functionality in the program or enable the realtime engine because the ***** password protected the program. Can anyone please tell me how to clear or reset the malwarebytes program? I understand the need to keep this kind of "password reset" information secure and out of the hands of the ***** that did this in the first place, so if I need to provide some kind of security clearance, please let me know what I need to provide... Highest regards, - C