Someone took control of my server via Utilman style exploit... (this is just a PSA, It wasn't hard to get it back)

[Mnky313]

Ok, so last night around midnight I was playing with some friends and my RDP session ended because 'Someone else logged into that device'. I immediately got suspicious but thought it could have been my phone connecting, it wasn't.
So I unplugged the server's connection to the network and left it because it was too late for me to care to go downstairs and reboot it to see what happened. (I am powering a HDD via an external PSU, so I thought maybe corruption or my password expired or something.) After I went to check on it today there is a new account (with Administrator rights) called 'support', I have a bunch of weird software on the server from when I was trying to host a music steaming thing and from trying to find one god damn piece of software that can clone hdds in windows SERVER because everyone I use thinks it is an enterprise environment and wont launch.
Anyway, I decided to check if they user the popular Utilman exploit to get in and sure enough, they did. But they were not as dumb I as figured and actually made a small bat file to password protect cmd on the lock screen. Too bad they weren't that smart because they left the bat file in the C:\Windows folder and all they did was add +s +h (I always have show system and show hidden files on so all I did was sort by date to find it). The bat file had the password that allowed me to re-Utilman exploit my way back into it. IDK what their plan was, all of my game servers and the nas RAID array are untouched.

So PSA:
UPDATE YOUR SHIT
DON'T INSTALL OBSCURE SOFTWARE UNLESS YOU ACTUALLY KNOW IT IS LEGITIMATE

Oh and IDK how they got access, the Administrator password was a 9 charcater password with symbols, capitals, numbers etc. So somewhat secure. That is the only account with remote access and the only Administrator account, ports for SMB, RDP, and 6669,6969,69111 are open (last 3 are for game servers), all SMB traffic should be encrypted (and no one uses Admin creds for SMB anyway), My only guess is RDP somehow leaked the creds because it should have been encrypted but maybe it wasn't...)

For anyone who wants info on the actual specific attack, here is the bat file and login details they used for CMD, I don't know the support user password (it wasn't the same as the CMD thing), overall I give it a 10/10 for 14 year old me (totally didn't use the Utilman exploit on someone elses machine when I was 14). Anyway here is the login and bat file:

Username: support
Password Hadi!!

@Echo OFF
Title Login
COLOR 03
Echo.
Echo Cmd Login
Echo ==========
Echo.
SET /P "bx32276160702692518614=username:"
GOTO b38571219614275885
:b38571219614275885
SET /P "d24912142241730026224=password:"
GOTO d149912152960521466
:d149912152960521466
IF \"support\"==\"%bx32276160702692518614%\" (GOTO bd557224172739122727) Else (GOTO db1626212052760527041) >nul 2>&1
:bd557224172739122727
IF \"Hadi!!\"==\"%d24912142241730026224%\" (GOTO bb43921855998985577) Else (GOTO db1626212052760527041) >nul 2>&1
:db1626212052760527041
Exit
GOTO :dd1049154811817421201
:bb43921855998985577
COLOR 07 & Title Command Prompt
CD "C:\Windows\System32"
CLS
CMD.EXE /D
:dd1049154811817421201

 

131326553247352173111730010.bat

[Mnky313]

It appears it was connected via RDP using FreeRDP, there is a .freerdp folder on their user acount

new discoveries!
Here is their IP:
95.82.26.139

[jagdtigger]

21 hours ago, Mnky313 said:

UPDATE YOUR SHIT
DON'T INSTALL OBSCURE SOFTWARE UNLESS YOU ACTUALLY KNOW IT IS LEGITIMATE

First line correct, second one not so much. Never expose anything directly to the internet unless it is absolutely necessary! If you need remote access use openvpn with safe ciphers and large keys (and wile you are at it have user auth enabled).

[Mnky313]

2 hours ago, jagdtigger said:

First line correct, second one not so much. Never expose anything directly to the internet unless it is absolutely necessary! If you need remote access use openvpn with safe ciphers and large keys (and wile you are at it have user auth enabled).

yeah, once I noticed that they used RDP to get in I figured it wasn't something I installed and was just some exploit in RDP on old windows server versions (or just without a certain patch). Should be good now, I changed my DDNS and will probably just use VNC for Remote desktop. Also updated it to Server 2019 with the latest patches

 

[jagdtigger]

I highly recommend using a VPN, one shodan search and all the worlds script kiddies will bang on smb and vnc.....

[Mnky313]

hmmmmmmmm, I wonder if this was that recently discovered RDP exploit. That's it.

[WereCatf]

On 11/16/2019 at 11:06 PM, Mnky313 said:

and the only Administrator account, ports for SMB, RDP, and 6669,6969,69111

Why do you have samba and RDP open to the Internet to begin with?

[Mnky313]

Just now, WereCatf said:

Why do you have samba and RDP open to the Internet to begin with?

I had RDP open to remotely connect and SAMBA for a network drive, I fixed it a while ago.

 

[Wade_W_Wilson]

After reading this .... you deserved it.