Brute Force or Virus ?

Posted on 2009-04-20
Last Modified: 2012-05-06
By the end of last year one of my servers was hacked, i really dont know exaclty how the person managed to get my rdp password.
I had rdp open 3389 to all ips, i had a small case password like "u00xyt"
Do you think they could have breaking thru brute force ?
Or they managed to get that pass some way else ?

Thanks !

Question by:netwhw
    LVL 18

    Accepted Solution


    my ranking:

    on 1: Terminal server can be brute forced -
    using e.g. TSGrinder -
    without triggering account lockouts. This is even if you defined account lockouts in your password policy. Using such a short and weak password, this is trivial. Of you give direct RDP access (without VPN) then you MUST enforce very strong passwords = complexity requirements + min 9 characters (I would even say 10, but hey, I'm a security pro).

    on 2: Your password was grabbed using a keylogger (deliberately installed) or similar malware. You can determine the likelihood of this by thinking about how much you log on using untrusted PC's (kiosk, 'friend', internetcafé, ...)

    on 3: There is a very hard to pull off man in the middle attack against RDP (up till v5). Very unlikely, unless you are in an environment with very interesting information which is worth a lot of effort.

    kr, J.

    Author Comment

    So the most probably was the Brute force...
    What do you recommend to do beyond long and complex passwords ?
    What is that you mention, account lockout ?
    LVL 18

    Expert Comment

    Yep, the most propable is brute force
    Recommendation next to strong passwords: access your terminal server through a plain VPN or an SSL VPN. This depends on valuable your data and infrastructure is. A good password may be enough.
    Account lockout: the automatic locking of an account when a wrong password has been tried x times. You can set this in the local security policy or push through group policies.
    If you need more information on password policies, please create a new question, as this one is closed.

    kr, J.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now