Hi Guys,
Need some advice on what you would do next to stop this happening again.
I have a little remote desktop that I use for Plex server and CCTV camera monitoring. When I tired to log in yesterday it was acting extremely slow and crashing, didn't get a chance to look at it properly until this morning which is when I found some pretty scary things.
Going through event viewer on the server I can see hundreds of attempted logins from Russian looking usernames, this is also backed up by loads of entries on the router event log showing:
Would would you next steps be?
I'm equally concerned that I have an external harddrive on the same network that I store backups from my phone on, PC document backups and the CCTV footage and there was some new rules added to the router, but they look like UPnP ones as they look auto added, not manually configured, which I quickly deleted, but I have had problems accessing that so I'm concerned that may have been compromised, as I'm not able to investigate as I'm about to go to work, I've just turned it off.
Quickly followed by
The router isn't showing that it has uploaded much data to the web at all, only 114mb which was probably me before, considering there is GB's on there I don't think they've managed to get it.
All of this is worrying me quite a lot.
I've also just seen this is a load more DoS (SYN Flooding) events whilsts I've been typing this.
My apologies if I'm slow to reply, I'm leaving for work shortly, just glad I had the chance to look at this morning and hopefully limit the damage.
Edit:
Also just found this in MalwareBytes (No, it may not be the best, but it was just a quick install to double check everything)
Need some advice on what you would do next to stop this happening again.
I have a little remote desktop that I use for Plex server and CCTV camera monitoring. When I tired to log in yesterday it was acting extremely slow and crashing, didn't get a chance to look at it properly until this morning which is when I found some pretty scary things.
Going through event viewer on the server I can see hundreds of attempted logins from Russian looking usernames, this is also backed up by loads of entries on the router event log showing:
Code:
DoS(SYN Flooding): IN=ppp0 OUT= MAC= SRC=91.240.118.17 DST=**.***.***.*** LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=34826 PROTO=TCP SPT=41179 DPT=13914 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Would would you next steps be?
I'm equally concerned that I have an external harddrive on the same network that I store backups from my phone on, PC document backups and the CCTV footage and there was some new rules added to the router, but they look like UPnP ones as they look auto added, not manually configured, which I quickly deleted, but I have had problems accessing that so I'm concerned that may have been compromised, as I'm not able to investigate as I'm about to go to work, I've just turned it off.
Code:
Port forwarding rule added via UPnP/TR064. Protocol: TCP, external ports: any->9091, internal ports: 80, internal client: ***.***.*.**
Code:
Port forwarding rule deleted via UPnP/TR064. Protocol: TCP, external ports: any->9091, internal client: ***.***.*.**
All of this is worrying me quite a lot.
I've also just seen this is a load more DoS (SYN Flooding) events whilsts I've been typing this.
My apologies if I'm slow to reply, I'm leaving for work shortly, just glad I had the chance to look at this morning and hopefully limit the damage.
Edit:
Also just found this in MalwareBytes (No, it may not be the best, but it was just a quick install to double check everything)
Code:
Malwarebytes
www.malwarebytes.com
-Log Details-
Protection Event Date: 05/07/2020
Protection Event Time: 06:31
Log File: c8d59eec-be80-11ea-8f5e-b8aeed75d622.json
-Software Information-
Version: 4.1.2.73
Components Version: 1.0.972
Update Package Version: 1.0.26427
Licence: Trial
-System Information-
OS: Windows 10 (Build 18362.900)
CPU: x64
File System: NTFS
User: System
-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0
-Website Data-
Category: Compromised
Domain:
IP Address: 185.202.2.147
Port: 14561
Type: Inbound
File: C:\Windows\System32\svchost.exe
(end)
Last edited: