New Worm Morto Using RDP To Infect Windows PCs

← Back to Stories (view on slashdot.org)

New Worm Morto Using RDP To Infect Windows PCs

Posted by timothy on Sunday August 28, 2011 @05:46AM from the my-heart-goes-out-to-you dept.

Trailrunner7 writes "A new worm called Morto has begun making the rounds on the Internet, infecting machines via Remote Desktop Protocol. The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows. Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003."

200 comments

Min score:

Reason:

Sort:

Finally by jhoegl · 2011-08-28 05:51 · Score: 2

A lot of IT uses RDP to access servers remotely. Terminal Services is also used heavily by companies.

So I was wondering when someone would find and then use an exploit against them. It was only a matter of time :(.

The good news is the damage may be minimal as it seems to only effect 2k3 R2 servers, at least that is what is reported. It may be all of 2k3 or all 2k3/2k8.
1. Re:Finally by jhoegl · 2011-08-28 05:55 · Score: 5, Informative
  
  Hmmmm, after reading the article, I do not see any actual exploit being used and it is required that the server or account that was seemingly brute forced (only possible way) is required to have some GPO allowances such as root C or D drive access, the execute permissions on that drive.
2. Re:Finally by jhoegl · 2011-08-28 06:00 · Score: 3, Informative
  
  Yup, brute force... From a post in the linked thread
  
  And in my current knowledge, if you get infected, it means you have way too EASY PASSWORD.- Meitzi
3. Re:Finally by jhoegl · 2011-08-28 06:02 · Score: 3, Informative
  
  And lastly.... MS already has an entry for it.
  
  http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A
4. Re:Finally by John+Hasler · 2011-08-28 06:02 · Score: 1
  
  How many Windows boxes do not have way too easy a password?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
5. Re:Finally by jhoegl · 2011-08-28 06:04 · Score: 5, Interesting
  
  Finally finally... LOL
  
  If you get hacked, you deserve it.
  
  Compromising Remote Desktop connections on a network: Port 3389 (RDP)
  Worm:Win32/Morto.A cycles through IP addresses on the affected computer's subnet and attempts to connect to located systems as administrator using passwords from the following list:
  
  *1234
  0
  111
  123
  369
  1111
  12345
  111111
  123123
  123321
  123456
  168168
  520520
  654321
  666666
  888888
  1234567
  12345678
  123456789
  1234567890
  !@#$%^
  %u%
  %u%12
  1234qwer
  1q2w3e
  1qaz2wsx
  aaa
  abc123
  abcd1234
  admin
  admin123
  letmein
  pass
  password
  server
  test
  user
6. Re:Finally by Anonymous Coward · 2011-08-28 06:14 · Score: 0
  
  Yes! They'll never guess my secret...wordpass!
7. Re:Finally by maxwells_deamon · 2011-08-28 06:24 · Score: 1
  
  Warning: Parent contains NSFW link
  and not worth looking at anyway
8. Re:Finally by jayhawk88 · 2011-08-28 06:35 · Score: 1
  
  Lol, I love it.
  666666
  888888
  No....not 777777. They'll be expecting that.
  Come on, it's Two Thousand Fucking Eleven. We still have people setting local admin passwords to "admin" and 123?
9. Re:Finally by datapharmer · 2011-08-28 06:47 · Score: 1
  
  actually once you have rdp access privilege escalation is pretty trivial as you can access the command line regardless of local and group policies by exploiting a flaw in how command line switches are handled.
  
  --
  Get a web developer
10. Re:Finally by Zumbs · 2011-08-28 06:53 · Score: 1
  
  or even better ... drowssap!
  
  --
  The truth may be out there, but lies are inside your head
11. Re:Finally by DNS-and-BIND · 2011-08-28 07:05 · Score: 1
  
  The worm actually tries the password 12345? Windows admins use this password to log in to their servers remotely? Somebody must, otherwise the worm wouldn't spread. That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
12. Re:Finally by louarnkoz · 2011-08-28 07:07 · Score: 1
  
  Microsoft's analysis is published at: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A
  The list of password that the worm tries is interesting. Apart from the obvious abc123 and the like, the worm tries "RavMonD" and "zhudongfangyu". Is that a clue? Some Chinese hommage to the bazar?
13. Re:Finally by KiloByte · 2011-08-28 07:13 · Score: 1
  
  We still have people setting local admin passwords to "admin" and 123?
  There's more of them than those with reasonable passwords. I'm not counting those with medium strength in either group.
  Seriously, "common sense" is not so common nowadays. And from what I see, the quality of passwords is actually going down.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
14. Re:Finally by Billly+Gates · 2011-08-28 07:13 · Score: 1
  
  That happened to be the most disgusting troll link I have ever seen on slashdot. I couldn't watch the whole thing without gagging in my mouth.
  I thought goatse.cx and http://www.clownsong.com/ were bad, but that is thee WORST
  
  --
  http://saveie6.com/
15. Re:Finally by bwintx · 2011-08-28 07:16 · Score: 2
  
  TFA article lists "RavMonD" and "zhudongfangyu" as processes the worm tries to stop, not as passwords it attempts.
  
  Terminates processes
  Morto.A terminates processes that contain the following strings. The selected strings indicate that the worm is attempting to stop processes related to popular security-related applications.
  
  --
  Discussion System prefs link: http://slashdot.org/users.pl?op=editcomm
16. Re:Finally by Anonymous Coward · 2011-08-28 07:26 · Score: 1
  
  This story is taking too long. Prepare to Fast Forward!
17. Re:Finally by Inda · 2011-08-28 07:54 · Score: 1
  
  Seems a strangely short list.
  
  No "god"? No "love"?
  
  Why not 100 or 1000 common passwords?
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
18. Re:Finally by Anonymous Coward · 2011-08-28 08:15 · Score: 5, Informative
  
  This is not the complete list of what happens.
  I battled this since August 18th, and had identified all the command/control IPs and domains and submitted them to MS--and also identified the files for them and sent them in a zip.
  MS initially had us run a boot disk and multiple scanners and found nothing. I had even asked for some advice on how to properly mitigate network usage *from the server* as the 1000s of connection attempts were nailing the firewall (which was now blocking all outbound 3389 attempts as well) and the arp caches of the network switches--doing a packet sniff, I could see the network gear turned into hubs from switches because the MAC tables couldn't keep up.
  I also had a user get kicked off their machine by a service account that hadn't existed before the virus hit. That machine had 63 malware programs on it--not cookies, but exes and dlls.
  The infections are entirely not due to bad passwords. Once infected it goes out and uses that simple list. You know there are places that have these passwords. Simply having 3389 open is bad, as you can get randomly hit, with an exploit vector as well. Newly installed machines with passwords that were ludicrously complex were also getting infected. The virus also will check out your local network subnet and blast that and similar networks--if you are on 10.10.10.0, it will also blast 10.10.9.0 and 10.10.11.0, for example.
  Anyway there had to be three or four revisions of this patch before it was posted about here. It came out late Friday night, soon after we sent the files. MS only really started taking us seriously (it seemed) when other customers started reporting the same thing. The virus could be manually cleaned but it didn't fix the infection, so you could clean a machine and get it reinfected. The signatures should help prevent further issues, but expect a new critical update patching the actual problem in addition to this cleaning it.
19. Re:Finally by MightyMartian · 2011-08-28 08:28 · Score: 1
  
  I'm just bloody glad I shut down all external access to RDP. For a few years I was opening up RDP for some users who worked from home, but after seeing someone trying hundreds of times to get in to RDP via an Eastern European IP address I finally closed it down and require anyone wanting to use RDP to do it via our VPN.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
20. Re:Finally by KingMotley · 2011-08-28 08:32 · Score: 1
  
  Simply having 3389 open isn't inheritly bad. It's when you allow retarded admins who allow access to that port through the internet and use ridiculously simple passwords on accounts that are given remote login rights AND are exempt from the bad password lockouts.
21. Re:Finally by Runaway1956 · 2011-08-28 08:39 · Score: 1
  
  If we haven't wiped ourselves out by the year 10,000, there will still be people using passwords like that. Even the equivalent to today's "security experts" will be caught now and then with idiotic passwords.
  We claim to be intelligent, but sometimes the evidence makes that lie.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
22. Re:Finally by Anonymous Coward · 2011-08-28 08:57 · Score: 0
  
  Yeah, glaringly absent are iloveyou, thx1138, qwerty, zxcvbn, asdfghjkl, master, hunter1...
23. Re:Finally by bwintx · 2011-08-28 09:03 · Score: 1
  
  "TFA article" being akin to "ATM machine," of course. Sorry.
  
  --
  Discussion System prefs link: http://slashdot.org/users.pl?op=editcomm
24. Re:Finally by X0563511 · 2011-08-28 09:10 · Score: 1
  
  Seems to be working, which is both depressing and scary.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
25. Re:Finally by aztracker1 · 2011-08-28 09:11 · Score: 1
  
  Mine... more than one word, l33tified with non letter-number.
  
  --
  Michael J. Ryan - tracker1.info
26. Re:Finally by rtb61 · 2011-08-28 09:22 · Score: 1
  
  Logic has it that you could use more than one configuration of worm. In fact you could use thousands all with different combinations of passwords. You take the assumption that a very lazy tech company will grab one worm, do an analysis and stop there, leaving many many potential other victims out there thinking they are safe.
  Still such a short list seems pointless unless of course relying on a particular tech companies laziness and willingness to blame users for everything, to mass market a false sense of security and simply blame admins who used passwords from that very short list leaving tens of thousands of other popular passwords available for exploitation (so short on purpose).
  
  --
  Chaos - everything, everywhere, everywhen
27. Re:Finally by Lumpy · 2011-08-28 09:24 · Score: 1
  
  It's just a silent commentary as to the quality of MCSE's thrown into a server administration role.
  Most guys that are worth their salt demand silly salaries like $60,000-$90,000US a year instead of the new ITT grad that will accept $35,000 a year.
  Again, you get what you pay for. and companies pay for 666666 as a server password.
  
  --
  Do not look at laser with remaining good eye.
28. Re:Finally by Lumpy · 2011-08-28 09:28 · Score: 2
  
  You should also already have DROP rules for all IP addresses coming from outside countries you dont have workers in already.
  We dont have any asian, eastern or russian workers so I block all those countrues in the firewall. it reduces risk and traffic significantly.
  I also have the firewall add a 24 hour drop rule for any IP address that attempts a connection and gets a rejection more than 5 times to a port in 20 minutes.
  Passwords are your second line of defense, your firewall is your first.
  
  --
  Do not look at laser with remaining good eye.
29. Re:Finally by Kalriath · 2011-08-28 09:40 · Score: 2
  
  Flamebait much? (And I have mod points, just preferred not to use 'em).
  Someone having an MS qualification does not make them a bad sysadmin. There are equally shitty Unix sysadmins out there. A stupid sysadmin is a stupid sysadmin no matter who issued their certificate.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
30. Re:Finally by Anonymous Coward · 2011-08-28 09:47 · Score: 0
  
  I'm betting that morto's password-based attack is just a proof-of-concept. Renaming the Administrator account and preventing the display of logon user names would thwart it. Expect morto to be repackaged, distributed through social engineering attacks, and use a keylogger. The password list is probably just for testing.
31. Re:Finally by hairyfeet · 2011-08-28 09:47 · Score: 1
  
  I'm shocked they don't have the two moron passwords I saw plenty in the wild, which are ASD123asd and p@ssw0rd. You'd be surprised how many times I saw total dumbshit passwords like that. I'd try to tell the admins but finally gave up because every time I saw truly dumbshit passwords like that it was because the admin was a BOFH and had set some insane password requirements without thinking of the users.
  But the fact that yes its 2011 and those passwords work show a trend I've been saying for awhile now, that the corps in their ever fucking of IT and "cost cutting" by firing anyone with a brain and replacing them with the cheapest shit workers they can find once again bites them in the ass. The problem with corp IT is the simple fact that the PHB that causes the mess never gets the blame and in fact will often enjoy "upward failure" as they will have gotten bonuses for their "cost cutting" measure and then moved up or gotten a job somewhere else thanks to their "stellar" cost cutting record, leaving the shitstorm to some other PHB or usually some poor IT flunky who'll get the blame.
  Just another example of why you deserve everything you get if you refuse to hire quality help, sigh. that is why I got out of corp IT, too many PHBs and not enough common fucking sense. It is like that old demotivational in corp right now "Common Sense: So damned rare it is practically a super power"
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
32. Re:Finally by Dunbal · 2011-08-28 10:08 · Score: 1
  
  omg and I thought my password was weak, it's ********
  
  --
  Seven puppies were harmed during the making of this post.
33. Re:Finally by Cyberax · 2011-08-28 10:29 · Score: 1
  
  I confess, I've used it a few times for a one-off test user (to check that ACLs work correctly). Well, once or twice I forgot to delete this test user.
  So I totally can see that somebody might set up an easy password, especially if a system is non-Internet-facing.
34. Re:Finally by goose-incarnated · 2011-08-28 10:41 · Score: 1
  
  Flamebait much? (And I have mod points, just preferred not to use 'em).
  Someone having an MS qualification does not make them a bad sysadmin.
  He didn't say that having an MS cert makes someone a bad sysadmin. Touchy, aren't we? :-)
  
  --
  I'm a minority race. Save your vitriol for white people.
35. Re:Finally by fostware · 2011-08-28 10:51 · Score: 1
  
  Depends on how many sysadmins double-check the *local* administrator account - not just the domain admin's.
  Once won a customer while doing the presentation, just by demonstrating the there's a local account too. Just happened to hit enter on their TS and lo-and-behold straight in. SBS and Domain controllers don't allow the option of a local admin, but member servers are sometimes easy game.
  
  --
  "We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
36. Re:Finally by Kalriath · 2011-08-28 11:30 · Score: 1
  
  "It's just a silent commentary as to the quality of MCSE's thrown into a server administration role".
  No, actually, he did say that having an MS cert makes someone a bad sysadmin.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
37. Re:Finally by goose-incarnated · 2011-08-28 11:50 · Score: 1
  
  "It's just a silent commentary as to the quality of MCSE's thrown into a server administration role".
  No, actually, he did say that having an MS cert makes someone a bad sysadmin.
  Not all, just the ones thrown into it - presumably the ones eased gently into it with the aid of a mentor and possibly supported by organisational processes aren't the bad admins. I grokked the final 6 words as a qualifier - sort of the same thing as saying "It's a silent commentary as to the quality of slashdot participants responding without RTFA".
  
  But, meh - Tah-mah-toe, tah-may-toe I guess :-)
  
  --
  I'm a minority race. Save your vitriol for white people.
38. Re:Finally by unencode200x · 2011-08-28 11:57 · Score: 1
  
  Citation please.
  
  --
  
  Chance favors the prepared mind.
  Perfect is the enemy of good.
39. Re:Finally by snowgirl · 2011-08-28 12:25 · Score: 2
  
  Weird... when you typed hunter1, all I saw were asterisks.
  
  --
  WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
40. Re:Finally by adolf · 2011-08-28 12:38 · Score: 1
  
  We had a few accounts compromised on public-facing *nix host, once.
  The reason? The person doing admin had set up a whole bunch of accounts with "phone" as a password. To say that I was surprised at this level of incompetence is a bit of an understatement.
  His defense? "Well, that's what the boss told me to do."
  Me: "Did you bother trying explain to him just how bad of an idea that was?"
  Him: "No."
  The mess was easy for me to clean up. And since then, the passwords are much harder. And after the dude responsible moved on to greener pastures, everything about IT in that company got a lot easier.
  (Note that I don't blame the PHB, who is actually a very rational guy. It's the PHB's job to make decisions, but it's the gunther's job to tell him when he's wrong.)
  
  --
  Kid-proof tablet..
41. Re:Finally by LordLimecat · 2011-08-28 13:10 · Score: 1
  
  Being infected doesnt mean that it happened because of an opened port 3389. I have never heard of an exploit that can run arbitrary code simply due to an open RDP listener. I would imagine such a thing to be possible on VNC far before RDP, given the attention to security that RDP has gotten over the last 10 years.
42. Re:Finally by LordLimecat · 2011-08-28 13:11 · Score: 1
  
  Having access to the commandline =/= privilege esclaation.
  Care to explain how you can go from "domain user" or "Remote user" to "domain administrator", with commandline access, on server 2003 or server 2008? Im sure a LOT of people would be interested to hear this.
43. Re:Finally by Onymous+Coward · 2011-08-28 13:39 · Score: 1
  
  Interesting. Where do you get the list? And at what rate does it change?
44. Re:Finally by mikael · 2011-08-28 13:43 · Score: 1
  
  When I was an undergrad, our computer lab rooms had a 5 key mechanical combination lock which had the default sequence [2 4][3] to open. Twenty years later, I'm trying to get into a secure corporate car-park via a side gate which has exactly the same type of lock. And the combination was the same....
  Some things never change
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
45. Re:Finally by doccus · 2011-08-28 15:56 · Score: 1
  
  Wow.. i don't see 13579.. but it does have *most* of the dufus passes ;-)
46. Re:Finally by cavreader · 2011-08-28 16:20 · Score: 1
  
  I do a lot of consulting with both large and medium size companies and they all seem to validate their passwords to ensure a minimum length while also requiring both alpha and numeric characters in the password. I have also seen places where both uppercase, lower case, and special character use is required.
47. Re:Finally by EdIII · 2011-08-28 18:22 · Score: 2
  
  Lol, I love it.
  666666
  888888
  No....not 777777. They'll be expecting that.
  Come on, it's Two Thousand Fucking Eleven. We still have people setting local admin passwords to "admin" and 123?
  Dude... I am crying right now with how hard I am laughing. I might pee myself.
  I swear, I absolutely swear that I had a user so.... "inept" and "unsmart" that the only password the user could remember was 7777777. I'm not kidding. He was management and had problems remembering people's names. We tried giving him different passwords, especially on other systems, and it spawned endless IT calls for help with his password. I mean simple passwords, like grouped names.
  Nope. Could not handle it. Other things in the company he could actually do, which is why they kept him. Idiot Savant when it came to sales and marketing. Passwords? It was like working with a real life monkey.
  I had arguments with upper management about security. Oh, boy did I. I always brought up dictionary attacks and brute force ..... and that he... was vulnerable.
  Apparently not true. TOTALLY SAFE . The irony of the whole thing. My sides hurt.
48. Re:Finally by smash · 2011-08-28 20:07 · Score: 1
  
  No, he just said there is a lot of shitty ones out there. He didn't say they are ALL bad, just that there are a heap that are.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
49. Re:Finally by Anonymous Coward · 2011-08-28 20:15 · Score: 0
  
  how the hell did he remember how many times it was repeated?
50. Re:Finally by Anonymous Coward · 2011-08-28 20:16 · Score: 0
  
  But somehow you seem to have figured it out...
51. Re:Finally by smash · 2011-08-28 20:17 · Score: 1
  
  Having 3389 open to the world is inherently bad, because you're placing your trust in the service to be secure. And its from microsoft. When VPNs or IPSec between hosts is so easily configured, leaving 3389 open to the internet without any second or third line(s) of defense is just grossly negligent.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
52. Re:Finally by datapharmer · 2011-08-28 20:55 · Score: 2
  
  once you have access to the command line you can then use it to transfer exploitable code to the windows temporary folder. This puts an attack vector in place. Disconnect, then reconnect with the command to execute your payload - this command is executed before policies are enforced. tah-dah.
  
  --
  Get a web developer
53. Re:Finally by datapharmer · 2011-08-28 20:57 · Score: 1
  
  http://www.slideshare.net/bsideslondon/breaking-out-of-restricted-rdp
  
  --
  Get a web developer
54. Re:Finally by Lumpy · 2011-08-29 00:05 · Score: 1
  
  I get the list from the server, bad login, pass it to the firewall all decent servers can do this.
  Or do you mean IP addresses for other countries?
  I get them from a secret site on the internet....
  https://encrypted.google.com/search?q=IP+address+country+list&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
  
  --
  Do not look at laser with remaining good eye.
55. Re:Finally by Lumpy · 2011-08-29 00:07 · Score: 1
  
  http://www.parkansky.com/china.htm
  is one I look at monthly. but I will block a wider swath based on that list. I dont care if I block a few other small countries if I cast my net wide.
  
  --
  Do not look at laser with remaining good eye.
56. Re:Finally by MrNiceguy_KS · 2011-08-29 01:27 · Score: 1
  
  He just copied and pasted the asterisks.
  
  --
  Redundancy is good And also good.
57. Re:Finally by Anonymous Coward · 2011-08-29 03:25 · Score: 0
  
  Ha. I know that isn't true. I know for a fact that by the year 9595 we won't be able to make passwords anymore, as there won't be much of a world left. I strongly suggest you visit the prophecies of Zager and Evans.
58. Re:Finally by rvw14 · 2011-08-29 05:07 · Score: 1
  
  I just fired off a memo to my staff. From here on we will use the password swordfish.
59. Re:Finally by EdIII · 2011-08-29 06:32 · Score: 1
  
  LOL
  Seven 7's buddy :)
  That is what he remembered. Type 7 seven times.
60. Re:Finally by LordLimecat · 2011-08-29 18:24 · Score: 1
  
  The degree of misinformation in your post is astonishing.
  Problem the first: If you do not have admin rights, you will get "access denied" on your attempt to upload anything to the Windows global temp folder. You will only have access to your own profile.
  Problem the second: Any program that you launch from the RDP "on connect" feature will share your context, and your privileges. This is not a privilege escalation, since it grants you no additional rights than those you already had.
  Problem the third: Server 2008 restricts which programs are allowed to run after logon, so your exploit vector will simply get access denied even if you DID find a privilege escalation with this method and were able to stick the program in Temp.
  Further, even if you got around all of THOSE issues, the "on connect" program does not run until after the "applying group policy" phase of login ANYWAYS, which makes your entire attack moot. Policies remain in place, and there simply isnt some magical privilege escalation exploit hiding in the Remote Desktop Connection GUI, as much as you might think so.
61. Re:Finally by Yamioni · 2011-08-30 06:25 · Score: 1
  
  If you had followed the link provided by datapharmer in a sibling post you would have seen that the exploit in question was "only tested on windows 2000 and 2003"[sic]. Your post makes reference to server 2008. There is a chance you are both correct.
  
  --
  Cool post bro, highfive \o
62. Re:Finally by Kalriath · 2011-08-30 10:14 · Score: 1
  
  Ah, well that makes sense - it's all in how you parse out the sentence I guess.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
63. Re:Finally by LordLimecat · 2011-08-30 16:16 · Score: 1
  
  Most of that info applies to server 2003 as well.
  Seriously, do you think there would really be that big of a hole-- unpatched-- with a stock option of RDP? That a normal, widely used feature would completely bypass the Windows security model?
  Color me shocked that when I just tested it against one of our 03 servers, it utterly failed to do any kind of escalation. I also just had rdp run "mmc RSOP.msc" on login, and I can see the default domain policy applying.
  None of what he stated is true, and again I am pretty sure that the Windows Temp folder requires admin access even on server 2003.
64. Re:Finally by Anonymous Coward · 2011-08-30 22:50 · Score: 0
  
  I like to use three unrelated words with a number as a spacebar.
  One month I had "purple3Triangle3puppy"
  You would be absolutely AMAZED at how well passwords of this type hold up under attack.
  My above one outlasted "GnE4#pP!m" on our test server.
Poor Passswords are the problem by Anonymous Coward · 2011-08-28 05:55 · Score: 3, Informative

Read about Morto and says it spreads by trying common passwords such as the following:
When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:
admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890
1. Re:Poor Passswords are the problem by sakura+the+mc · 2011-08-28 06:17 · Score: 1
  
  how about removing the "Administrator" account and change the RDP port?
  someone told me many years ago to be paranoid because the internet is "insecure as living fuck."
2. Re:Poor Passswords are the problem by Anonymous Coward · 2011-08-28 06:22 · Score: 0
  
  You left out pencil.
3. Re:Poor Passswords are the problem by jhoegl · 2011-08-28 06:26 · Score: 1
  
  Why move the port? Port scanners will find it anyways, and it only causes problems for the end users.
  
  That "Someone" does not understand how hacks/cracks/attack vectors works, does not stay up on current security trends, or knows how to handle a password policy.
4. Re:Poor Passswords are the problem by lucifuge31337 · 2011-08-28 06:26 · Score: 1
  
  how about removing the "Administrator" account and change the RDP port?
  Who leaves services like this exposed to the Internet in the first place? Do you people not have VPNs?
  
  --
  Do not fold, spindle or mutilate.
5. Re:Poor Passswords are the problem by magamiako1 · 2011-08-28 06:39 · Score: 1
  
  A lot of people leave these services open, particularly for managed IT for small businesses (small practices, etc.)
  
  RDP itself is encrypted with RC4 by default, and gets AES if you use FIPS mode.
6. Re:Poor Passswords are the problem by lucifuge31337 · 2011-08-28 06:42 · Score: 1
  
  I guess I've been working on real network for too many years. Even the with the small businesses I've done side work for, nothing like this is exposed. It's simply too cheap to do it the proper way, and to expensive not to.
  
  --
  Do not fold, spindle or mutilate.
7. Re:Poor Passswords are the problem by datapharmer · 2011-08-28 06:51 · Score: 1
  
  Yes, we people have VPNs, but you know all those small business whose IT staff is "the guy who knows some stuff about computers" and gets stuck "managing the server"? Well, those business don't have VPNs, are rarely patched and are the cause for those shenanigans. For companies who are unwilling to pay for the time it takes to properly clean up the mess they have and install proper protections a port change and administrator username change is the "better than nothing" approach. While yes, it is "security through obscurity" the reality of the world is that we don't live in a paradise where every small business is willing to listen to their IT consultants or willing to shell out the money to do things properly. For those cheap companies we do this at minimum to help protect the rest of the world from their ignorance.
  
  --
  Get a web developer
8. Re:Poor Passswords are the problem by DarkOx · 2011-08-28 06:58 · Score: 4, Informative
  
  I generally agree that moving well know services to alternate ports is a waste of time at best and a headache at worst, for most services.
  Port scanners should not be effective tools in a high security environment though. You should have and IDS that can detect a scan, even if its a coordinated scan from multiple hosts. That IDS should be able to shun those hosts. There is no reason why in 2011 you can't make it prohibitively difficult for the vast majority of would be attackers to run a port scan against your hosts. In which there may be value in moving hi-value targets like administrative interfaces to lesser know ports, generally legitimate people using those interfaces won't be terribly inconvenienced.
  Will the guy commanding a 10K machine botnet spread over thousands of networks still be able to scan you and find whatever, certainly yes. If your common threat model really includes that guy though you really operating in a different reality than most of us; for the rest snort, iptables and some shell scripts, or {pick commercial vendor solution} here goes a long way.
  In 1997 and unprotected host was not good enough anymore, you needed a firewall
  In 2000 you needed a stateful firewall
  In 2005 you needed a application layer firewall
  Its 2011 you need IDS / IPS
  The arms race continues....
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
9. Re:Poor Passswords are the problem by magamiako1 · 2011-08-28 06:59 · Score: 1
  
  I've known a ton of small businesses that leave RDP exposed. Many leave VNC exposed as well (which can be even more dangerous if you don't understand encryption and authentication).
  
  I've argued with people on IRC that leave entire POS systems exposed via VNC to the internet.
  
  It's deplorable, but fairly common. And there's nothing particularly wrong with leaving it exposed if you configure it properly. A VPN provides more peace of mind, of course, since you get all the benefits that come with private keys, etc. Not to mention you can encrypt your channel with AES versus RC4 (in FIPS mode you get 3DES).
10. Re:Poor Passswords are the problem by Onymous+Coward · 2011-08-28 07:00 · Score: 1
  
  Moving ports protects against worms.
  That "someone" may have better said "the Internet is full of threat". My blocked ports log says there's an unauthorized attempt every 2 and a half minutes. That's not counting attacks on 25, 53, and 80.
  My system is plenty secure, but I guess you could refer the the net at large as "insecure as living fuck".
11. Re:Poor Passswords are the problem by lucifuge31337 · 2011-08-28 07:10 · Score: 0
  
  And there's nothing particularly wrong with leaving it exposed if you configure it properly.
  Other than the history of RDP-vector exploits and giving someone basically unfettered access via the Internet to try to brute force your windows box. Sorry, but I've been in this business before RDP existed, so I've been around for it's entire history. It's not a service to be left open to the Internet on critical infrastructure. But those who don't have the perspective are often doomed to have to figure things out for themselves the hard way.
  
  --
  Do not fold, spindle or mutilate.
12. Re:Poor Passswords are the problem by magamiako1 · 2011-08-28 07:18 · Score: 1
  
  Again, re-read a previous post of mine:
  
  Account Lockout policies. Same difference using "fail2ban" with SSH that so many people use to "secure" their linux boxes.
  
  What we're down to isn't an argument against RDP, we're arguing over password vs key-based authentication and data integrity.
13. Re:Poor Passswords are the problem by Anonymous Coward · 2011-08-28 07:19 · Score: 0
  
  Talking outside of a company context, with Windows it's usually the case that most people don't know the service exist and it's on by default.
14. Re:Poor Passswords are the problem by ninetyninebottles · 2011-08-28 07:47 · Score: 1
  
  Good security relies upon a layered defense so no one factor, even a weak password, can compromise your system. A prudent administrator has an IDS looking at and blocking propagation traffic based upon a normal use signature for their network, and has strong passwords, and has a VPN and has firewalls in between network segments. A good OS has services off by default and a silent mode to prevent port scanning and a sandbox around such a likely service with a history of exploits and strongly tested code for the service in the first place to prevent privilege escalation even if there were no sandbox and scanning on the server to identify known malware signatures.
  Layered security, because relying on any one layer in our current climate is absurd.
15. Re:Poor Passswords are the problem by fast+turtle · 2011-08-28 09:20 · Score: 1
  
  and that's the biggest problem with using Windows. To much shit running w/o rhyme/reason or even a decent explantion why.
  
  --
  Mod me up/Mod me down: I wont frown as I've no crown
16. Re:Poor Passswords are the problem by Lumpy · 2011-08-28 09:34 · Score: 2
  
  "There is no reason why in 2011 you can't make it prohibitively difficult for the vast majority of would be attackers to run a port scan against your hosts"
  Yes there is. Competent Network people and up to date networking hardware to do this cost money. Executives would rather continue to run on the out of date Nokia Firewalls they bought in 2003 and hire employees who are happy to get $25,000 to $35,000 instead of having a budget that is realistic and pay-scales that attract competent employees.
  THIS is the reason that in 2011 you cant have in place mechanisms that difficult for an attacker to gain a foothold in your company.
  
  --
  Do not look at laser with remaining good eye.
17. Re:Poor Passswords are the problem by Lumpy · 2011-08-28 09:37 · Score: 1
  
  There is NO REASON that little company that has a guy that knows "puters" to not have VPS. cheap SOHO routers support VPN's easily.
  Sorry but if your business cant afford to hire at least a part time consultant that knows what he is doing, you do not deserve to be in business.
  
  --
  Do not look at laser with remaining good eye.
18. Re:Poor Passswords are the problem by Anonymous Coward · 2011-08-28 10:39 · Score: 0
  
  and that's the biggest problem with using Windows. To much shit running w/o rhyme/reason or even a decent explantion why.
  Good golly that's such an ignorant statement on a tech site that you should go change your passwords before Morto gets to yours.
19. Re:Poor Passswords are the problem by Anonymous Coward · 2011-08-28 11:49 · Score: 0
  
  Speaking as the guy who knows "puters"... I'd just like to say that from this end of the trenches, it would be just lovely if you guys could write software with a default configuration that wasn't leakier than the titanic. It's not our (local computer guys) fault that the default configuration is either worthless (linux, nothing works out of the box) or totally permissive (windows, everything works but it works for EVERYBODY). Yeah, some of us figure out the right way, but lots of people just do whatever works. Fix this problem at the source, alternately you can try and train about 6billion people on the proper 156 step procedure for connecting a computer to the internet. I'll leave it up to you professional computer guys.
20. Re:Poor Passswords are the problem by unencode200x · 2011-08-28 12:08 · Score: 1
  
  Incoming RDP is not on by default; it never has been afaik. You have to turn it on (in XP, Visa, 7, 2003/2008). The RDC client is installed by default, but it's only used to connect to other Windows boxes.
  
  --
  
  Chance favors the prepared mind.
  Perfect is the enemy of good.
21. Re:Poor Passswords are the problem by Anonymous Coward · 2011-08-28 17:46 · Score: 0
  
  NoBrainer... just rename "Administrator" account... which should be one of the first things you do (and what we all learned in our MCSE classes).
  "Administrator" IS disabled by default on Win 2K8, Vista and 7
22. Re:Poor Passswords are the problem by smash · 2011-08-28 20:21 · Score: 1
  
  Leaving it open, irrespective of encryption still leaves you prone to DOS due to account lockout. And you're also relying on microsoft, with a rather checkered security history, to have made the service secure. Multi-layered defense is a good (nay, necessary) thing.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
23. Re:Poor Passswords are the problem by smash · 2011-08-28 20:27 · Score: 1
  
  Speaking as the "guy who knows cars", i'd just like to say that it would be lovely if you guys who make cars could ship them with engines that require no maintenance.
  Network security is a trade. If you're not qualified, don't pretend. If you need internet facing services, get someone qualified to secure them. If you don't feel this is required, and you want to run the gauntlet, be my guest. Just don't cry when many many malicious hosts on the internet have a field day with your network.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
24. Re:Poor Passswords are the problem by smash · 2011-08-28 20:29 · Score: 1
  
  Welcome to 2006. Windows has disabled services by default for quite a long time now.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
25. Re:Poor Passswords are the problem by PraiseBob · 2011-08-29 06:50 · Score: 1
  
  Sorry but if your business cant afford to hire at least a part time consultant that knows what he is doing, you do not deserve to be in business.
  
  And how exactly can these small businesses quickly and easily tell whether the part time consultant is actually good at his job, or only has the appearance of being competent? If everything is working exactly as requested, and the guy says it is secure, how do you verify what he is saying?
  
  How much money do you expect a small business to pour into something that (at least in their perception) is already working fine?
26. Re:Poor Passswords are the problem by metrix007 · 2011-08-30 00:35 · Score: 1
  
  You can't stop a port scan. You can make it difficult as you say, but you can't prevent it outright...so why is the additional effort worthwhile? For what is essentially security by obscurity?
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
name of the worm ?? by Anonymous Coward · 2011-08-28 05:56 · Score: 0

morto:italian for dead is it a coincidence ?
A non-issue for people who use strong passwords by mkraft · 2011-08-28 06:01 · Score: 4, Informative

From what I've read, the worm isn't using an exploit. It's simply trying to log in using a set of common and easy to guess passwords. If you use strong passwords, then your machine won't be compromised. Though flood of RDP access requests could amount to a denial of service attach.
1. Re:A non-issue for people who use strong passwords by jedidiah · 2011-08-28 11:06 · Score: 1
  
  Sounds like the sort of thing that you might expect to happen and even guard against with things like fail2ban or a homegrown script that does the same thing.
  You would also need to correctly guess a suitable user account too.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
...or that hate default ports... by FlavorDave · 2011-08-28 06:07 · Score: 4, Informative

Since RDP is a necessary evil for administering remote windows PCs at least change the fracking port...
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
1. Re:...or that hate default ports... by Culture20 · 2011-08-28 06:13 · Score: 1
  
  And use an auto-lockout system or auto-firewall (if one exists) like fail2ban. Windows log parsing and firewall can be scripted, but I don't know if anyone's bothered.
2. Re:...or that hate default ports... by rubycodez · 2011-08-28 06:31 · Score: 1
  
  nonsense, RDP (and most other tcp services) can be quickly scanned and identified on ANY port
3. Re:...or that hate default ports... by 0123456 · 2011-08-28 06:43 · Score: 3, Insightful
  
  nonsense, RDP (and most other tcp services) can be quickly scanned and identified on ANY port
  Of course if you're serious about security then a port-scan would be logged and blocked. They'd need to compromise multiple machines or scan at a very slow rate in order to be able to get past such a firewall.
4. Re:...or that hate default ports... by Nemyst · 2011-08-28 06:53 · Score: 1
  
  I wanted to do that so I could remote to my home PC from university... The firewall there blocks all ports except 3389 and a few others like 21 or 80.
  Security impeding security, wee!
5. Re:...or that hate default ports... by datapharmer · 2011-08-28 07:00 · Score: 1
  
  Would you rather have 1000 bots attacking a server or 900? Obviously in a perfect world we would cut it down to 0, but eliminating scripted attacks on poorly secured servers is better than doing nothing.
  
  --
  Get a web developer
6. Re:...or that hate default ports... by Anonymous Coward · 2011-08-28 07:01 · Score: 0
  
  How about not opening your anus to the Internet? There are numerous systems, many open source that provide strong cryptographic authentication and encryption.
  Yes you can change the port. You could however use port knocking coupled with that cryptographic system and knock on a port using the key fingerprint and based off a calculated value of the fingerprint open another port for the communication to take place on.
  None of this is trivial. None of it's hard. It's just tedious, like a 15,000 piece puzzle with 2mm pieces.
7. Re:...or that hate default ports... by omglolbah · 2011-08-28 07:05 · Score: 1
  
  Set up SSH, you can do port tunneling that way.
  I have port 443 on my server set up to accept SSH, that way I can get through 99% of 'work' type firewalls and get to my stuff :)
8. Re:...or that hate default ports... by KiloByte · 2011-08-28 07:14 · Score: 1
  
  The whole point of a worm is that they have multiple machines.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
9. Re:...or that hate default ports... by Anonymous Coward · 2011-08-28 07:26 · Score: 0
  
  or use something like Teamviewer... it's basically a free version of gotomypc.
10. Re:...or that hate default ports... by 0123456 · 2011-08-28 07:39 · Score: 1, Informative
  
  The whole point of a worm is that they have multiple machines.
  Not on my internal network.
  And if you have RDP open to the Internet you're so retarded there's no saving you.
11. Re:...or that hate default ports... by sgt+scrub · 2011-08-28 07:53 · Score: 1
  
  If someone uses 12345 for the password do you really think they would have the slightest clue as to what your post means? You need to spell it out for them using baby talk. 1) double clicky on the....
  
  --
  Having to work for a living is the root of all evil.
12. Re:...or that hate default ports... by Aqualung812 · 2011-08-28 08:22 · Score: 1
  
  You're correct, but most worms don't try to scan every port. They need to quickly find their next target, and scanning for one port is much quicker than for over 65,000 of them.
  Also, remember they're looking for total dumbasses that put things like "admin" as their password. Pretty sure that people that run RDP on port 6384 don't have trivial passwords.
  
  --
  Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
13. Re:...or that hate default ports... by tokul · 2011-08-28 08:34 · Score: 1
  
  change the fracking port...
  
  Security through obscurity does not work.
14. Re:...or that hate default ports... by bloodhawk · 2011-08-28 09:09 · Score: 1
  
  Why would any competent admin be allowing port scans to hit their servers? They invented this cool thing a little while ago called a firewall.
15. Re:...or that hate default ports... by bloodhawk · 2011-08-28 09:17 · Score: 1
  
  change the fracking port...
  Security through obscurity does not work.
  that actually is a fallacy. When it comes to worms and virus's security through obscurity does help, malware attacks the common denominator, if 1 million people run a service on port 1234 and 10 run it on some other random port you can bet your last dollar that the vast majority of attacks will focus port 1234, No you aren't blocking a targetted attacks, just making going half a rung higher on the ladder so that someone actually has to put some basic thought into an attack against you.
16. Re:...or that hate default ports... by Anonymous Coward · 2011-08-28 09:49 · Score: 0
  
  yes because screw having a standard default port number
  in the same vein no webservers should also be run off a radomn port number and not 80/443/8080
  and ssh connections should never be run off port 22
  all these should be random and it's up to the connection machine to either know beforehand which port to connect to, or to try to connect to all of them til it gets a response
17. Re:...or that hate default ports... by rubycodez · 2011-08-28 09:50 · Score: 1
  
  so what, the firewall is port scanned and the party starts from there.
18. Re:...or that hate default ports... by Dunbal · 2011-08-28 10:11 · Score: 1
  
  How about not opening your anus to the Internet?
  
  Hey, you get your thrills your way, and let Mr. Goat Se get his thrills his way.
  
  --
  Seven puppies were harmed during the making of this post.
19. Re:...or that hate default ports... by KahabutDieDrake · 2011-08-28 12:00 · Score: 1
  
  Yes it does. Like any other process that relies on masses of essentially unprotected machines, viruses/worms don't have the overhead to spare to include port hopping/scanning/anti-blocking systems. So when a new virus comes around, like this one, it very likely has the default port hard wired into itself. Why? Because it takes 4bits (give or take a bit) and hits 97% of all (RDP capable) machines on the net, while including a port scanner and the related intelligence / anti-security obfuscation and anti-detection would have required a bit more, and still only increased your hit rate by 3%, at best. Furthermore, this entire attack is based on weak passwords, which imply a lack of systemic security, which of course means default ports.
  
  Ultimately, what follows is that if your RDP port is not the default port, you have an excellent chance of missing out on this worm entirely. Therefore, security through obscurity scores a win.
20. Re:...or that hate default ports... by Anonymous Coward · 2011-08-28 12:31 · Score: 0
  
  Shit, my uni just puts every box on the wide open internet. No firewalls, no VPN (why VPN when you can just connect directly?). EVERY BOX on campus (14k students) with a public IP address.
  I wish we had a firewall...
21. Re:...or that hate default ports... by cbiltcliffe · 2011-08-28 12:45 · Score: 1
  
  yes because screw having a standard default port number
  in the same vein no webservers should also be run off a radomn port number and not 80/443/8080
  Yes, because a webserver that's supposed to be accessible to the general public through a standard web browser, and remote administration that's only used by at most a handful of known users are exactly the same thing....
  Idiot.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
22. Re:...or that hate default ports... by DarwinSurvivor · 2011-08-28 13:11 · Score: 1
  
  Why? Just install your OWN firewall on your laptop/uni-computer and be done with it.
23. Re:...or that hate default ports... by LordLimecat · 2011-08-28 13:14 · Score: 1
  
  You could also simply do a static port mapping, if your firewall/router supports it, to change which external port is natted to your server. Tends to be a lot easier than trying to keep track of scads of servers and which port is which pc.
  But generally, if im allowing straight up RDP access to the server, there is a strong password in place; changing the port wont stop a detailed scan, which would pick up "RDP" pretty quick. Theres not much substitute for a good password, port changing just stops simple worm attacks.
24. Re:...or that hate default ports... by drinkypoo · 2011-08-28 13:15 · Score: 1
  
  Of course if you're serious about security then a port-scan would be logged and blocked.
  Really? Only if I either run a software firewall more complex than the one that comes with Windows, or put each machine on its own VLAN and route between them on the switch, and then use some detection software triggered from there...
  The threat here is that one machine will be infected by whatever means and then infect other machines on the same LAN, because nobody's firewall is going to pass RDP anyway.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
25. Re:...or that hate default ports... by LordLimecat · 2011-08-28 13:16 · Score: 1
  
  It is already possible to do something like "after 10 failed attempts in 2 minutes, lock account for 5 minutes". Very unlikely to be an inconvenience, but good luck bruteforcing @ 1 attempt every 12 seconds.
  It does raise the potential for a type of administrative DDOS, of course, but presumably knowing that there is an attack is better than not knowing.
26. Re:...or that hate default ports... by LordLimecat · 2011-08-28 13:17 · Score: 1
  
  If theyre targetting you specifically, they will do such a slow scan, and be changing IPs. Changing the port is enough to lower your profile and make you less conspicuous, but its not a serious safeguard.
27. Re:...or that hate default ports... by LordLimecat · 2011-08-28 13:18 · Score: 1
  
  Im not really clear why. If you have remote access, and you travel, you probalby have SOME method of getting in, whether it be VPN or RDP or LogMeIn or whatever. All of those are hackable, using VPN instead of RDP doesnt really save you from someone doing a bruteforce on the VPN.
28. Re:...or that hate default ports... by LordLimecat · 2011-08-28 13:19 · Score: 1
  
  Wait, youre tunneling port 3390 to port 3389 so that you dont have port 3389 listening on the internet?
  Is some kind of rube goldberg machine like this supposed to increase security, somehow?
29. Re:...or that hate default ports... by asdfghjklqwertyuiop · 2011-08-28 16:13 · Score: 2
  
  Public key authentication / certs is an option on good VPN systems. If such a thing exists for RDP it is very rarely used.
30. Re:...or that hate default ports... by LordLimecat · 2011-08-28 16:43 · Score: 1
  
  That is I suppose a fair answer; but a 10+ character "strong" (by server 2003/2008 standards) password should be strong enough to resist eons of brute force.
31. Re:...or that hate default ports... by Anonymous Coward · 2011-08-28 21:24 · Score: 0
  
  Nearly all modern firewalls can detect and block block port scans.
32. Re:...or that hate default ports... by Anonymous Coward · 2011-08-28 21:45 · Score: 0
  
  nonsense, RDP (and most other tcp services) can be quickly scanned and identified on ANY port
  IF you're dumb enough not to put access control lists into place.
33. Re:...or that hate default ports... by catmistake · 2011-08-28 23:50 · Score: 1
  
  And if you have RDP open to the Internet you're so retarded there's no saving you.
  IMO, if you even need to use RDP as an admin, you are borderline retarded. In my network, RDP is the sole domain of execs and veeps that think they're so monumentally important to the company that they may need to RDP in at odd hours to do quaint document based stuff... or check email or add appointments to their calendar (do not bother trying to explain things to suits... just give them what they ask for and move on... and don't look at them in the eyes, they take it as a sign of disrespect that they fear more than wrinkled slacks).
  Admins that rely heavily on RDP are sissy faery momma's boys. Real admins work on command line. sc. netsvc. psexec. dsquery. system info. tasklist. taskkill. whack whack.
  
  --
  The Admin and the Engineer
34. Re:...or that hate default ports... by Anonymous Coward · 2011-08-29 00:19 · Score: 0
  
  Admins that rely heavily on RDP are sissy faery momma's boys. Real admins work on command line. sc. netsvc. psexec. dsquery. system info. tasklist. taskkill. whack whack.
  Agreed. cmd ftw. And if that's not a typo, its systeminfo. Also, let's not forget ipconfig, regedit, auditpol, gpupdate, net and cconnect.
  batch batch.
35. Re:...or that hate default ports... by omglolbah · 2011-08-29 02:41 · Score: 1
  
  Public facing server listens for SSH on port 443 which is at my apartment.
  I can route any port on my work machine at work through said tunnel to the workstation at home which is NOT accessible from the internet directly.
  Unless you can connect to the SSH port, you will not get to the machine.
  And on the work machine I'd do "mstsc localhost 12345" or whatever port I decide to use.
  This is primarily because most ports are blocked at work, but it also avoids those fixed-port worms quite nicely.
36. Re:...or that hate default ports... by rubycodez · 2011-08-29 03:38 · Score: 1
  
  false, a SYN or FIN scan done slowly will successfully probe almost 100% of firewalls out there. my employer often does that as part of work for clients in security assessment.
37. Re:...or that hate default ports... by cr0nj0b · 2011-08-30 00:43 · Score: 1
  
  mstsc /v:host:port
Re:PC is dead by Joce640k · 2011-08-28 06:13 · Score: 1

Stop adding checkbox marketing features and maybe we'll stand a fighting chance.
...against users who choose "123456" for their admin password?
Maybe you didn't RTFA before posting.

--
No sig today...
Require a VPN connection by Pop69 · 2011-08-28 06:19 · Score: 3, Informative

If IT and users are connecting to a bare open RDP port then someone fucked up along the way.

Do it right, require a VPN connection before you allow an RDP connection.
1. Re:Require a VPN connection by jhoegl · 2011-08-28 06:23 · Score: 2
  
  Maybe, but I wouldnt want an end users virused system access to my networks or servers.
  
  RDP offers better limitations to it.
  True, you could close off every port but 3389 to the VPN, you could limit access to only one server, but then the requests start coming in...
  Besides, wouldnt an SSL RDP session be more viable?
2. Re:Require a VPN connection by Anonymous Coward · 2011-08-28 06:24 · Score: 0
  
  Then one of your users leaves a VPN up or is in the middle of using one and then its in your datacenter...
  How does using VPN help again?
3. Re:Require a VPN connection by rubycodez · 2011-08-28 06:37 · Score: 1
  
  what if admin dumb enough to choose 1234546 also gives everyone and their aunt tilly the certificates and keyfile for the vpn by plain email?
4. Re:Require a VPN connection by aztracker1 · 2011-08-28 09:21 · Score: 1
  
  RDP is already encrypted as of 2003 server (via TLS)... though you don't get client-keys... the issue here is weak passwords, the same issue exists for SSH, short of client keys.
  
  --
  Michael J. Ryan - tracker1.info
5. Re:Require a VPN connection by Kalriath · 2011-08-28 09:52 · Score: 1
  
  SSL RDP? Oh, right - Remote Desktop Gateway. Yes, that's possible as of 2008 Server. Essentially tunnels a Remote Desktop connection over HTTPS, with certificate validation and stuff. Theoretically, you can also configure (as of 2003 I think) your remote desktop connection to use Smart Cards to authenticate rather than passwords... you see where this is going.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
6. Re:Require a VPN connection by cbiltcliffe · 2011-08-28 12:51 · Score: 1
  
  Weird. Slashdot lets positive contributors disable ads, but not financial contributors.
  That's because if they did, you could simply pay for the right to be an asshole.
  (I know, I know....you can still be an asshole with ads.....)
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
7. Re:Require a VPN connection by Flaming+Foobar · 2011-08-28 13:06 · Score: 1
  
  Do it right, require a VPN connection before you allow an RDP connection.
  Why exactly do you think that increases security? Most VPNs that I've seen use the AD domain password which means once the attacker gains access to the VPN, they can access all the network shares, terminal servers whatnot. You are equally f'ed in both cases. Also, the current RDP implementation uses TLS which is stronger than e.g. PPTP's RC4, still a widely used because it's so easy to set up.
  I see this stupidity all the time: you are required to connect to a PPTP VPN, with access to the company LAN to boot, before you get to ssh to a linux box in the DMZ or wherever. Admins also often refuse to open the ssh ports based on some false belief about how it all works. They don't understand the differences between cryptographic algorithms, they don't really understand why firewalls are used and are good for, and they only have a superficial understanding of TCP/IP and the layers on top of it. They just blindly follow some "best practices" that someone somewhere put into a ppt, and cite meaningless shit like the OSI model, never actually taking the time to really understand.
  
  --
  while true;do echo -e -n "\033[s\n\033[u\134_\033[B";done
8. Re:Require a VPN connection by LordLimecat · 2011-08-28 13:21 · Score: 2
  
  Um, VPN connection can be bruteforced too. Why is it more secure to offer a service to the internet which grants access to the whole network, than to open a service which grants access to one machine?
  Im not really clear on this. RDP uses SSL and is generally regarded as secure. You can easily limit the rate at which passwords can be tried. Please, explain.
9. Re:Require a VPN connection by Anonymous Coward · 2011-08-28 21:43 · Score: 0
  
  Just VPN into a walled garden. Simple and effective. Users won't complain because it's no different for them than just presenting RDP directly to the world, it's just much more secure.
10. Re:Require a VPN connection by Anonymous Coward · 2011-08-29 02:39 · Score: 0
  
  Certificate based VPN is far more secure. Push computer certificates to trusted laptops and then require PKI verification before allowing then to connect. For the more paranoid Microsoft administrators, deploy Network Access Protection to also enforce system health (anti-virus, up-to-date definitions, up-to-date patches, etc).
WIP operating systems - show me the money. by djfuq · 2011-08-28 06:20 · Score: 0

If only M$ didn't make it so difficult to change the RDP port...
Oh wait, it used to be difficult, but now its stupid easy: http://support.microsoft.com/kb/306759
Now they even have a program that does it for idiots -- what amazing customer service!
This is why I now respect Microsoft's operating systems - someone finds an exploit and they get vilified, so they have to work extra hard and put a lot of money into meeting a higher standard of criticism to keep a huge base of customers satisfied and using their OS.
They make "QA mistake" releases like Vista, and they turn around and outdo everyone win Win7 and 2008R2..... ....unlike the academic operating systems where often kernels and filesystems and distributions are released with statements given such as "ext4 is now a fully supported file system" http://centos.org/ with severe but not mentioned issues like https://bugzilla.redhat.com/show_bug.cgi?id=696545 but they are silently given a pass because technically its a WIP.
With hokey pokey dodgy insecure applications like the authentication-less/unencrypted NFS protocol or the openldap that sends passwords clear text over the wire still by default configuration, or I could go on and on... but I know this criticism (like the criticism mentioned above) will be ignored and treated like flame-bait...

--
Dj fuQ [url="http://djfuq.org"]djfuq urges you to listen to the beats[/url] [url="http://djfuq.org"]http://djfuq.org[
1. Re:WIP operating systems - show me the money. by Anonymous Coward · 2011-08-28 06:28 · Score: 0
  
  Yes, very difficult. It takes 30 seconds to edit the registry key and 30 seconds to restart the service. And you do it once.
2. Re:WIP operating systems - show me the money. by Anonymous Coward · 2011-08-28 13:43 · Score: 0
  
  Microsoft continues to be the provider of the least secure modern OS, a position they have held since the invention of the modern OS.
  Citations please. Please cite how Windows 7 and Server 2008 R2 are the least secure OSes on the market.
Infecting Windows -- Too Easy by curmudgeon99 · 2011-08-28 06:24 · Score: 0, Flamebait

You would think that hackers might see there is no honor in hacking windows.
Windows is such a warmed over dog's breakfast that I can't imagine any self-respecting hacker spending the time to hack a Windows PC. Any fool who uses Windows probably has already had their bank accounts drained. You're just kicking an unconscious body laying in the alley. Why bother.
1. Re:Infecting Windows -- Too Easy by Anonymous Coward · 2011-08-28 06:36 · Score: 0
  
  I think you've not kept up with the hacking scene for the last 7-8 years. Todays 'hacking' is done to maximize profit. Exactly how will you do that against anything else when those systems barely exist in comparison?
2. Re:Infecting Windows -- Too Easy by magamiako1 · 2011-08-28 06:43 · Score: 5, Informative
  
  This has nothing to do with "hacking windows". This has everything to do with brute forcing passwords.
  
  This same thing can happen with SSH, FTP, and any other service that uses password authentication.
  
  In Linux, you install "fail2ban" to slow down brute force attempts.
  
  In Windows, you use secpol.msc > Account Policies > Account Lockout Policy to accomplish the same task.
  
  In all systems, you use more complex passwords or two-factor authentication to avoid this.
  
  PS: This is only affecting idiots.
3. Re:Infecting Windows -- Too Easy by Anonymous Coward · 2011-08-28 06:51 · Score: 0
  
  Excellent flame bait. Too bad most people don't use Linux so they can see how shitty it really is.
  See I can play too.
4. Re:Infecting Windows -- Too Easy by Osgeld · 2011-08-28 06:52 · Score: 1
  
  yes its microsoft's fault that some marketing douche playing IT guy thought the last 4 digits of the company's phone number would be a good password for remote access
  or did you just read microsoft and miss out on the brute force password part?
5. Re:Infecting Windows -- Too Easy by Opportunist · 2011-08-28 06:59 · Score: 3
  
  At least RTFM before posting. The system is helpless against a user that uses "12345" as a root password.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Infecting Windows -- Too Easy by Billly+Gates · 2011-08-28 07:19 · Score: 3, Funny
  
  "You would think that hackers might see there is no honor in hacking windows.
  "
  I don't know
  I read a comment here from some guy named anonymous coward that stated Windows is just as secure as Unix and MacOSX and it is only hacked because more people use it. After all IE 6 and IE 7 are staples of good security and coding according to him. More people use it ... thats it!
  
  --
  http://saveie6.com/
7. Re:Infecting Windows -- Too Easy by mcrbids · 2011-08-28 07:28 · Score: 1
  
  This same thing can happen with SSH, FTP, and any other service that uses password authentication.
  There. 'Nuff said. Passwords are terrible for system level security and should not be used. The basic idea of passwords requires that, to use it, you also give everything needed to use it again. Techniques like two-channel authentication, public key encryption, etc. solve this problem.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
8. Re:Infecting Windows -- Too Easy by magamiako1 · 2011-08-28 07:33 · Score: 1
  
  You can configure smart card authentication for Windows RDP.
9. Re:Infecting Windows -- Too Easy by advocate_one · 2011-08-28 08:08 · Score: 1
  
  so I'm safe then with "54321"...
  
  --
  Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
10. Re:Infecting Windows -- Too Easy by Opportunist · 2011-08-28 20:35 · Score: 1
  
  Yeah. 'til the worms next incarnation.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
11. Re:Infecting Windows -- Too Easy by badatnicknames · 2011-08-29 00:53 · Score: 1
  
  The problem with an account lockout policy is it also penalizes the good guys too. The bad guy brute forces to get a lockout and then you try to log in but are stuck.
gpedit.msc &/or secpol.msc can do that by Anonymous Coward · 2011-08-28 06:25 · Score: 0

As well as the native firewall in Windows - there's TONS of settings regarding RDP &/or Terminal Server services in gpedit.msc + secpol.msc where you can set rights to WHO can use RDP or Terminal Server services, as well as when/where/why/how etc. (I also liked FlavorDave's suggestion on port # switching via registry hack too).
APK
SSL VPN? Users' don't understand SSL warnings. by Anonymous Coward · 2011-08-28 06:30 · Score: 0

"durp, I'm on the hotel wifi, and I'm getting an invalid certificate warning browser even though I never ever get this when connecting from home. "Why, yes, I'll accept the certificate!"
Re:PC is dead by rubycodez · 2011-08-28 06:35 · Score: 1

exactly the opposite, admins with a PC desktop mentality too clumsy and vulnerable to be useful to the enterprise. The root cause of this infection would make any OS vulnerable, from mainframe z to openbsd server
extreme paranoia by Onymous+Coward · 2011-08-28 06:45 · Score: 1

Good idea. I agree. I switch ports for things, too. Helps to avoid worms. But...

Scanned at 2011-08-28 11:37:25 PDT for 54s PORT STATE SERVICE VERSION 3390/tcp open microsoft-rdp Microsoft Terminal Service

It's still possible to see where your RDP port is. So a dedicated attacker or a port-scanning worm (I'd be amused to see one of those) uncovers your hide.
What about adding port knocking?
you can't fully remove the Administrator account by Joe_Dragon · 2011-08-28 06:47 · Score: 1

you can't fully remove the Administrator account and you can't change the RID.
Mod parent up. by khasim · 2011-08-28 06:51 · Score: 1

The root cause of this infection would make any OS vulnerable, from mainframe z to openbsd server
Exactly. And I see it every day.
Just because you THINK you can "admin" a workstation (or a few workstations for your immediate family) does NOT mean that you know how to correctly administer a server.
That this "virus" has any traction is just more evidence of that.
Whoa, Newsflash! by Opportunist · 2011-08-28 06:57 · Score: 2

Insecure admin passwords allow remote connections and lead to compromised computers. More details after the film.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:you can't fully remove the Administrator accoun by spooky+ghost · 2011-08-28 07:00 · Score: 1

But you can use a gpo to rename the local administrator account across your domain or rename it on single machines via lusrmgr.

--

No matter what it looks like, there isn't a .sig here.
Morto? by Anonymous Coward · 2011-08-28 07:14 · Score: 0

Mortos der soul stealer has come!
I wish i had some ice cream!
1. Re:Morto? by GameboyRMH · 2011-08-28 14:06 · Score: 1
  
  D'oh, beaten...
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
Shut up, bigmouth! by Anonymous Coward · 2011-08-28 07:16 · Score: 0

Nothing wrong with "pencil"!
Do you do that with SSH too? by Sycraft-fu · 2011-08-28 07:58 · Score: 1

Or instead do you just use strong passwords?
That is what the issue with this worm is: Weak passwords. Go read the MS doc and see just how weak I'm talking about: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A.
This kind of shit affects SSH as well. We periodically whack IPs in China that beat on our SSH servers. They try the same password list over and over, they aren't sophisticated, just looking for weakly passworded stuff.
The answer isn't to move the port. The answer is to have a good password.
1. Re:Do you do that with SSH too? by jedidiah · 2011-08-28 11:10 · Score: 1
  
  Been using fail2ban for YEARS to automatically detect and ban brute force ssh cracking attempts. ...before I knew about fail2ban, I had my own homegrown script that did the same thing. Was pretty easy to cook up too.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
2. Re:Do you do that with SSH too? by Anonymous Coward · 2011-08-28 12:42 · Score: 0
  
  You're right that it's not the answer, however I still do it, because it keeps a boatload of garbage out of my logs. ;)
3. Re:Do you do that with SSH too? by DarwinSurvivor · 2011-08-28 13:13 · Score: 1
  
  This kind of shit affects SSH as well.
  Only if you're dumb enough to actually use passwords for SSH. Does RDP even *support* encryption keys? (honest question)
4. Re:Do you do that with SSH too? by amliebsch · 2011-08-28 14:49 · Score: 1
  
  Yes, it does. It can also be used over HTTPS.
  
  --
  If you don't know where you are going, you will wind up somewhere else.
5. Re:Do you do that with SSH too? by DarwinSurvivor · 2011-08-29 00:05 · Score: 1
  
  Why does RDP have anything to do with HTTPS? Last I checked it sure wasn't website traffic. Doesn't the protocol support straight SSL (or TLS)?
6. Re:Do you do that with SSH too? by vasqzr · 2011-08-29 00:30 · Score: 1
  
  We simply block traffic from China, Russia, South America, and a couple other countries based on IP. Cuts down on spam, scans/bots, and we don't have any customers from there anyway.
7. Re:Do you do that with SSH too? by b0bby · 2011-08-29 04:21 · Score: 1
  
  Remote Web Workplace (SBS 2003 & 2008) uses https - you first connect to a page where you can either use Outlook Web Access or RDP over the https connection. It's actually pretty nice, given strong passwords.
8. Re:Do you do that with SSH too? by DarwinSurvivor · 2011-08-30 12:17 · Score: 1
  
  I thought RDP was basically VNC built in? Why would you need a webpage for that?
9. Re:Do you do that with SSH too? by b0bby · 2011-09-01 02:07 · Score: 1
  
  You don't need a webpage, but it makes everything easy for the users - they know how to open IE, they go to the same page where you've shown them how to check their webmail, and they can click on Connect To a Computer. Their desktop magically appears before them. It's purely a matter of ease of use, but I like that there are no extra ports open.
10. Re:Do you do that with SSH too? by DarwinSurvivor · 2011-09-03 15:30 · Score: 1
  
  Ok, fair enough. You'll still need to pry ssh out of my cold dead fingers though :P
Interesting by Bryan+Bytehead · 2011-08-28 08:06 · Score: 1

I was wondering who or what was banging on my RDP ports yesterday. My Administrator account has been renamed, and I doubt very much that they would be able to brute my login name, let alone my password, but I turned RDP off just because it was annoying.

--
Bryan
1. Re:Interesting by Anonymous Coward · 2011-08-28 23:05 · Score: 0
  
  My Administrator account has been renamed
  Perhaps a white hat got in and did a little of your work for you? You know... in 2011 there is just no excuse for having an account named "Administrator" that is actually the box admin. Just out of curiosity... did you change any of the default settings on your boxes? You might want to do that.
That is indeed what it does by Sycraft-fu · 2011-08-28 08:13 · Score: 1

Someone else linked to the MS info on it: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A and it just goes and trys weak passwords... EXTREMELY weak passwords. Also looks like Vista/7 2008/2008R2 are default secure since it trys against "administrator" which is not an account you can actually log in as if UAC is on.
So as long as your password isn't monkey-fuck retardedly easy, should be a non-issue. If it is this weak, well then you really need to get a better password policy, and not because of this worm just in general.
None the less I expect this worm to own tons of systems because people fail at passwords. Story time:
Back in 1999 I worked as a student for network operations on campus. They wanted to migrate their small domain from NT4 to 2000 and the guy in charge decided to just do a clean reinstall/redo. He knew his shit and there wouldn't be many user facing issues except for account recreation. While some users would have no problems, the non-technical ones would whine and cry. He reasoned (correctly) that those kind of people would have weaker passwords so he grabbed the SAM file and had me load it on one of our powerful systems to crack. Since it had LM hashes stored (required for Windows 9x which was in use), cracking alphanumeric passwords could be done inside a week.
The result was much worse than we thought. At least half of the non-technical people had the password of "changeit", the password that had been handed out as a default password, which you were supposed to change. So it ended up being a big issue because he had the new accounts created with that password, but set the domain to require them to pick a new one. Much crying and whining ensued.
On account of that at my current job when we need to hand out a password to change (our system is cross Solaris/Linux/Windows/Mac and there isn't a good method to force a reset on login for all systems) we set it to something like "this is a long password that needs to be changed soon," because nobody wants to type that in every time they log in.
Obligatory by Anonymous Coward · 2011-08-28 08:24 · Score: 0

"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"
Re:you can't fully remove the Administrator accoun by Anonymous Coward · 2011-08-28 09:11 · Score: 0

Maybe you can't, but I still imagine it would be pretty effective to firewall and IP-ban any packet that attempted to log in to the administrator account, though...
Re:you can't fully remove the Administrator accoun by unencode200x · 2011-08-28 12:11 · Score: 1

Yes, you can and have always been able to afaik. How to disable the Local Administrator account in Windows In Vista and 7 you actually have to go and enable it manually.

--

Chance favors the prepared mind.
Perfect is the enemy of good.
I've been noticing a lot of weird event logs stuff by Viper2026 · 2011-08-28 16:50 · Score: 1

Lots of entries in my event log recently, stuff like: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated. Just in the past few weeks, starting last week of July or so.
My logs on the W2K3 based server I'm using by Anonymous Coward · 2011-08-28 19:52 · Score: 1

"Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated." from TermServices is what I've got a thousand entries for since 23/8/11.
I don't have an insecure password, but I have been using 3389. Good times. You could say I just closed 3389.
Re:I've been noticing a lot of weird event logs st by subk · 2011-08-28 19:57 · Score: 1

You watched it go on for a few weeks without blocking the traffic? Amazing... This must be the Windows IT mantra... Notice something weird? Stare at it for a few weeks. Maybe it will go away.

--
Now, if you'll excuse me, I have backups to corrupt.
Re:you can't fully remove the Administrator accoun by Cyphax · 2011-08-28 20:23 · Score: 1

You don't really have to. I disabled RDP-access for Administrator on our servers. Change the policy that allows the Administrators group RDP-access so that only the Remote Desktop Users group can use RDP, then don't add Administrator to that group. I do the same with SSH.
Re:I've been noticing a lot of weird event logs st by Anonymous Coward · 2011-08-29 01:37 · Score: 0

You made an asshole remark on slashdot? I wait. This *is* slashdot.
Re: do not see any actual exploit being used? by Anonymous Coward · 2011-08-29 02:48 · Score: 0

'Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003'.

"A few weeks ago a diary posted by Dr. J pointed out a spike in port 3389 traffic. Since then the sources have spiked ten fold. This is a key indicator that there is an increase of infected hosts that are looking to exploit open RDP services."
distrust China, trust Keith and Bob and Okean by Onymous+Coward · 2011-08-30 20:14 · Score: 1

I get them from a secret site on the internet.... [LMGTFY]
Your uncharitable reading of my question and the implications in your reply leave me to take umbrage. Now I'm inclined to be less kind in response. I'll assume instead you're just being silly rather than making a sincere statement with how you phrased your response.
When I went shopping around for DNSBLs, I had several criteria I judged by like "how do the lists get populated?" So I wonder now, how do the IPs on Keith Parkansky's list, the one you base your DROPs on, get there?
Looks like he gets his information from Okean.com and Wizcrafts.net, with no mention of how the two sources are merged. Neither of those sources states how it gets its information. Maybe you have relationships with them so you know more than the websites reveal? I would be uncomfortable giving control over my firewall configuration to so vague third parties.
Some Misinformation in this Thread by Anonymous Coward · 2011-09-01 23:19 · Score: 0

I have it connecting to 2different networks...
One of my routers sends me a log file....
This one is knocking sequentially on ports...
Unfortunately RDP is one of the useful tools for those of us that have computer illiterate users...
Trend Micro has a good write up it.... Norton Eraser is a tool that "may" work.