Opened 2 ports, and probably not by chance, got ransomeware...


  1. Posts : 97
    Win 7 Pro 64 Bit
       #1

    Opened 2 ports, and probably not by chance, got ransomeware...


    I feel my somewhat Cavalierly opening 2 ports in my networked Win 7 64 bit PC has allowed a hacker to infiltrate it with a nasty ransomeware that the experts say is not decryptable save risking a hefty payment to bandits. Luckily I had a back up of the C: Drive and D: Drive had only a small number of none critical directories encrypted. The E: Drive is a total loss...



    I have several questions! I was trying to run a tracker server on my home PC called Traccar. It requires the opening of ports 5055 and 8082 with UDP and TCP. I port forwarded them in my Technicolour TG282n router and allowed them to pass in the Windows firewall. But using a web based port checker they remained closed to the outside world.



    I then enabled DMZ in the router and they appeared open then. I am WAY out of my depth but I feel this may have left the PC that the router linked the ports to, vulnerable? I have by chance looked in the router log and see that whilst I was out today something has scanned ports including at least one of those I opened.



    I opened them both inbound and outbound but I am now thinking each may only needed to have been opened one way. Again, out of my depth. Thousands of people run this server software and a search of its forum shows no angry cries of it creating a vulnerability, so i guess it's me doing something rash...



    It shows:


    IDS scan parser : tcp port scan: 192.168.1.70 scanned at least 10 ports at 82.70.254.222. (1 of 2) : 192.168.1.70 82.70.254.222 0052 TCP 5055->53971 [.FA...] seq 1552092604 ack 1315363770 win 258


    I have written the back up to C: and now desire to open these ports again, but I need advice please. Without DMZ enabled these ports appear closed. Is there a safe way to open them without enabling DMZ.


    I will start a new thread about back ups, I naively stored them on a software RAID1 disk pair on the same machine. By luck or maybe design from Macrium Reflect the image files were not encrypted. I will ask in a more appropriate part of this forum about how to store back ups away from the machine that's being backed up. In hindsight I think I did a stupid thing in doing that!


    Many thanks if anyone can advise if the port opening (only done two days ago) may have led to this attack, and how to safely open them without enabling DMZ which I believe may bypass the router firewall?
      My Computer


  2. Posts : 0
    Windows 7 Ultimate x64
       #2

    DMZ opens all 65,535 ports to the computer/server. You don't want that.

    The ports may appear closed due to ICMP ping requests being denied, or there is port knocking going on to open those ports. I'd try the Traccar server software first without testing the ports and see if it works as it should.

    What exactly are you doing with this GPS server software? I may know of a way to do this without port forwarding, but it will require a different router flashed with the third-party firmware ASUS Merlin or DD-WRT.

    Since you're running a server to the outside world, you may be interested in a hardware-based firewall like Pfsense put on a Nettop. You can buy a Nettop on eBay for cheap. If this server software runs in Windows, you may be interested in Peerblock and my Peerblock lists here This will help cut down on unsavory IP connection attempts you don't want.
      My Computer


  3. Posts : 3,785
    win 8 32 bit
       #3

    Udp doesn't get a reply there is no connection it just says hello and get no response.. tcip actually makes a connection and a open port may seem to be closed if nothing answer. When you open a port you can't test on the local network you need to be on another network like mobile. You need to be sure the infection was from open ports not something else
      My Computer


  4. Posts : 97
    Win 7 Pro 64 Bit
    Thread Starter
       #4

    OK, thanks, I will address this, I have now got the needed ports open without recourse to using DMZ, many thanks.
      My Computer


  5. Posts : 3,785
    win 8 32 bit
       #5

    Best practice is to set DMZ to a ip not used on the network so any attack goes nowhere
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 18:09.
Find Us