Jump to content

7 days Dedi Server PC hacked by Russians


Rabbitslovecactus

Recommended Posts

Hi guys. Anyone else have issues with this?
I have a dedicated server that I built just for 7 days to die and local only plex streaming. The pc was newly imaged with nothing else on it. Just last night I wanted to RDP to it and couldn't because somehow the account required a password change. So I logged into it locally only to find a Trojan on it, crypto mining app, Russian proxy service running.

 

Does the 7 days server app and it's required settings/setup get tested for vulnerabilities? I am worried to use it after all this...

2F02C2BD-F006-407B-8BED-213C0C22EEB8.jpeg

Edited by Rabbitslovecactus (see edit history)
Link to comment
Share on other sites

To my knowledge it's not vulnerable. But Windows itself has a whole host of vulnerabilities and attacks that could have caused this to happen. If you haven't already re-imaged the computer (Which I highly recommend doing anyway after copying over your world saves) then I would be curious to see if there's any logs that might help determine the source of the breach. There's also some group policies and settings that can help mitigate some of the potential causes of the breach, as well as some software from MalwareBytes to help beef up the Windows Firewall. If you're interested in chatting about it you're welcome to DM me or share screens with me on Discord at Andromeda#0092 and I can walk you through some of the places that you can look to see what might have happened (And if not I can walk you through setting up something like Sysmon from Microsoft that would capture more system logs so that you can better determine how a security breach happened)

Link to comment
Share on other sites

If you have a firewall which allows you to control NAT, the only ports that should be forwarded should be for Litenetlib. I did a search for vulnerabilities on Litenetlib, and I couldn't find any. Given the nature of the protocol, also very unlikely any vulnerabilities would give interactive access to the operating system, although escalation attacks are not out of the question.

 

Far more likely is that you opened up some other ports - including possibly RDP, and either were done by hacking, or by a weak/breached password.

Link to comment
Share on other sites

Having Remote Desktop active is a very common way for hackers to access your Windows installation. If you need to remote into the server, there are several free programs that allow you to do this without having Remote Desktop active. I learned alot about it after having my office server hacked with ransomware. The very first thing the security company I hired turned of Remote Desktop and explained why. I also had a static IP address which made it much worse. Hackers scan the internet for static IP addresses as I guess they are easier to hack?? At least that's what the security company told me.

Link to comment
Share on other sites

Hi guys thanks for the response. Yeah I've formatted it right away. I did some digging and found out that DMZ was active for the servers ip. Pretty sure that was the cause. I've disabled that and also turned off upnp. For rdp I've limited it to certain users and made sure that the account that the pc uses is not an admin. Plus many more changes.

Edited by Rabbitslovecactus (see edit history)
Link to comment
Share on other sites

Sorry, haven't been on a PC much last couple days.


The preference would be to do it on your router, but if you have a single DMZ on/off switch, then it seems like yours might not have the granularity to do what you need to do.

 

It is possible to create custom firewall rules on Windows 10 and above, and filter by IP address, e.g. see mine below:

image.thumb.png.379617b3a0db8ef58cc291b2b6bc8c56.png

 

But I've not done it, as I use a commercial grade firewall on my network which does it much better.

 

The Microsoft article here describes how, but I've personally never followed it, so your mileage may vary: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...