Jump to content

For the past three days I've been getting constant RTP detections.


AbunaiShi

Recommended Posts

They're all from the same port (445) with inbound connections, I made a rule to block it on my firewall. (plus every time one IP shows up I block it on firewall as well) but I'm unsure if there's anything else I could do to keep myself protected. 

I'm currently running the trial version, and these constant apperances are a bit scary, should I be concerned? 

During scans, nothing is found. 
Also ran Hitmanpro on my computer as well, and nothing but a few tracking cookies were detected. 

I would really appreaciate if someone could enlighten me because I'm honestly a bit lost and confused. 

9ffa3b1ecba4b93cb25a86a3603d10cf.png

Link to post
Share on other sites

43 minutes ago, AbunaiShi said:

They're all from the same port (445) with inbound connections, I made a rule to block it on my firewall. (plus every time one IP shows up I block it on firewall as well) but I'm unsure if there's anything else I could do to keep myself protected. 

The blocks are on addresses that are attempting to do a forced  attempt to exploit remote-desktop-protocol. 

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

In most cases the attempted probes will automatically stop on their own.

If possible I would disable Remote Desktop as well. https://www.laptopmag.com/articles/disable-remote-desktop

Edited by Porthos
  • Like 2
Link to post
Share on other sites

8 minutes ago, Porthos said:

If possible I would disable Remote Desktop as well. https://www.laptopmag.com/articles/disable-remote-desktop

Thankfully that setting was already disabled, would I be in any sort of danger if my trial version runs out? 

Thank you so much for the explanation, I've been sorta paranoid since I've never actually had anything of the sort happen before. 

Link to post
Share on other sites

9 minutes ago, thisisu said:

^ Correct,

I made a little pic to show where you can turn off Remote Desktop in Win10

image.thumb.png.85a4fdf8eaf3c828f07b6dbd62caf9e4.png

Here's more reading if you're interested: https://blog.malwarebytes.com/security-world/2022/03/protect-rdp-access-ransomware-attacks/

Regards

Thank you so much for the in-depth explanation! And for the speedy reply. :) 

Remote Desktop was also disabled (thankfully) I'll definitely take a look at the blog post, can never be too safe! 

Link to post
Share on other sites

55 minutes ago, AbunaiShi said:

They're all from the same port (445) with inbound connections, ...

This is not Remote Desktop Protocol (RDP) that is TCP Port 3389  They are trying to access weak shares.

TCP Port 445 is part of Microsoft Server Message Block (SMB) and File Sharing/Networking  (NetBIOS)

You can block on the Windows Firewall if you do not want to perform NT Shares.  However it is best to block such activity at the border/gateway such as your Internet Router so Internet WAN nodes can't access your PCs on the LAN via RDP (TCP 3389) and MS Networking (TCP/UDP 135~139 and 445).

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.


References:                               
Ports Database
IANA official ports

 

  • Like 1
Link to post
Share on other sites

24 minutes ago, David H. Lipman said:

 

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.

I honestly cannot thank you guys so much for the input, so many of these things I wasn't aware of, just finished taking action on what was necessary above! 

  • Like 1
Link to post
Share on other sites

Guys, after taking action on what was needed I've noticed that the attacks on 445 port sorta stopped for now, but now I got another that I've never seen before. (Also from a new port - 5040)

Since you can never be too safe, I've also upgraded my trial version to a premium one! (And I feel like this is one of the best investments I've done) 

I'll be attaching the files below. 

597bd5180708aac910087a9e2414f5de.png

1472d04904be9890bb82593fd991bec6.png

Link to post
Share on other sites

There is no reason TCP/UDP port 5040 should be open.  Just add it to your Block List on the Router.

It seems you are actively being "probed" for weaknesses and vulnerabilities.

Reference:
https://www.speedguide.net/port.php?port=5040

 

 

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.