Jump to content

Win 10 Pro 64bit - Constant RTP detection on RDP


Recommended Posts

Hello,

I've been getting constant RTP detection pop ups with compromised website on port 3389.  I activated the Brute Force settings, and now am getting Brute Force Attack notes in the Malwarebytes history.

Previously to running Malwarebytes, I also noticed I am getting a lot of logon Audit Failures in the Event Viewer, Security log.

Attached are the 3 files requested. 

 

Thanks in advance for the help!

James.

Malwarebytes Threat Scan 10-26-2022.txt FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

It is possible to block by range in the firewall, but having individual blocks may be preferred by some.

The following could be saved as a batch file to add blocking entries into your firewall

 

@echo off
:: Run the following to help increase security on the Windows firewall
:: 11:26 AM 5/26/2022


:: Delete all custom Firewall rules
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP port 135"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP port 135"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP port 135"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP port 135"
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP port 137"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP port 137"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP port 137"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP port 137"
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP port 138"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP port 138"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP port 138"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP port 138"
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP port 139"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP port 139"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP port 139"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP port 139"
netsh advfirewall firewall delete rule name="1Custom Block all inbound TCP SMB 445"
netsh advfirewall firewall delete rule name="1Custom Block all outbound TCP SMB 445"
netsh advfirewall firewall delete rule name="1Custom Block all inbound UDP SMB 445"
netsh advfirewall firewall delete rule name="1Custom Block all outbound UDP SMB 445"
netsh advfirewall firewall delete rule name="1Custom Block WScript 32-bit"
netsh advfirewall firewall delete rule name="1Custom Block WScript 64-bit"
netsh advfirewall firewall delete rule name="1Custom Block CScript 32-bit"
netsh advfirewall firewall delete rule name="1Custom Block CScript 64-bit"
netsh advfirewall firewall delete rule name="1Custom Block Type 13 ICMP V4"

:: Create all custom Firewall rules
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP port 135" protocol=TCP dir=in localport=135 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP port 135" protocol=TCP dir=out localport=135 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP port 135" protocol=UDP dir=in localport=135 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP port 135" protocol=UDP dir=out localport=135 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP port 137" protocol=TCP dir=in localport=137 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP port 137" protocol=TCP dir=out localport=137 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP port 137" protocol=UDP dir=in localport=137 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP port 137" protocol=UDP dir=out localport=137 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP port 138" protocol=TCP dir=in localport=138 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP port 138" protocol=TCP dir=out localport=138 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP port 138" protocol=UDP dir=in localport=138 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP port 138" protocol=UDP dir=out localport=138 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP port 139" protocol=TCP dir=in localport=139 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP port 139" protocol=TCP dir=out localport=139 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP port 139" protocol=UDP dir=in localport=139 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP port 139" protocol=UDP dir=out localport=139 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound TCP SMB 445" protocol=TCP dir=in localport=145 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound TCP SMB 445" protocol=TCP dir=out localport=145 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all inbound UDP SMB 445" protocol=UDP dir=in localport=145 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block all outbound UDP SMB 445" protocol=UDP dir=out localport=145 action=block enable=yes
netsh advfirewall firewall add rule name="1Custom Block WScript 32-bit" dir=out action=block program="c:\windows\system32\wscript.exe" enable=yes
netsh advfirewall firewall add rule name="1Custom Block WScript 64-bit" dir=out action=block program="C:\Windows\SysWOW64\wscript.exe" enable=yes
netsh advfirewall firewall add rule name="1Custom Block CScript 32-bit" dir=out action=block program="c:\windows\system32\cscript.exe" enable=yes
netsh advfirewall firewall add rule name="1Custom Block CScript 64-bit" dir=out action=block program="C:\Windows\SysWOW64\cscript.exe" enable=yes
netsh advfirewall firewall add rule name="1Custom Block Type 13 ICMP V4" protocol=icmpv4:13,any dir=in action=block

pause

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.