Recently because of the epidemic, we are working from home. For remote connections, some small offices without the use of a virtual private network, but direct port forwarding on the firewall, to jump directly to the server on port 3389. And the result is anyone on the Internet due to various reasons, there is no limit on the firewall source IP, which leads all can be accessed. Even if the external network port change is particularly large, but only for scanning software, which is a matter of time, and can not raise too much security.
Beans today met with such a problem. A clinic continuous server restart, Gordon went in and saw that there are a variety of security logs failed authentication events. And the server did not install any security software, completely naked.
This looks inconvenient, write a simple script inquiries about
function get-hacker{
$eventcritea = @{logname='security';id=4625}
$Events =get-winevent -FilterHashtable $eventcritea -MaxEvents 1000
#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea
# Parse out the event message data
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
$events | select TimeCreated, TargetUserName, ipAddress
}
$result=get-hacker
The results below, you can see the other side tried different user name, but does not show the IP address
Do not worry, in the corresponding RemoteDesktopService-RdpCoreTS / Operation logs inside, we can see the real IP address, as shown below, you can see while watching the other side are continuing to scan, trying to crack the code dictionary
Slightly modify the script above, to re-scan the
function get-hacker{
$eventcritea = @{logname='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational';id=140}
$Events =get-winevent -FilterHashtable $eventcritea -MaxEvents 1000
#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea
# Parse out the event message data
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name IP -Value $eventXML.Event.EventData.Data.'#text'
}
$events
}
$result=get-hacker
$result | select timecreated, IP | group-object ip
We can see the other side of malicious scan from six locations
This router clinic because it is too rubbish, you can not configure a firewall policy, so I just built a strategy on Windows Firewall, a few of these IP addresses were Block.
After re-scanning the log, no new information being given to prove effective interception.
Then install the soft kill, clean up a bunch of malicious files out.
Interim protective measures on the case, the next step you need to configure a new router to the other office, to replace their old-fashioned antique equipment.