[SOLVED] Opened two ports and probably not by chance got ransomeware!

Dec 21, 2019
5
0
10
0
I feel my somewhat Cavalierly opening 2 ports in my networked Win 7 64 bit PC has allowed a hacker to infiltrate it with a nasty ransomeware that the experts say is not decryptable save risking a hefty payment to bandits. Luckily I had a back up of the C: Drive and D: Drive had only a small number of none critical directories encrypted. The E: Drive is a total loss...

I have several questions! I was trying to run a tracker server on my home PC called Traccar. It requires the opening of ports 5055 and 8082 with UDP and TCP. I port forwarded them in my Technicolour TG282n router and allowed them to pass in the Windows firewall. But using a web based port checker they remained closed to the outside world.

I then enabled DMZ in the router and they appeared open then. I am WAY out of my depth but I feel this may have left the PC that the router linked the ports to, vulnerable? I have by chance looked in the router log and see that whilst I was out today something has scanned ports including at least one of those I opened.

I opened them both inbound and outbound but I am now thinking each may only needed to have been opened one way. Again, out of my depth. Thousands of people run this server software and a search of its forum shows no angry cries of it creating a vulnerability, so i guess it's me doing something rash...

It shows:

IDS scan parser : tcp port scan: 192.168.1.70 scanned at least 10 ports at 82.70.254.222. (1 of 2) : 192.168.1.70 82.70.254.222 0052 TCP 5055->53971 [.FA...] seq 1552092604 ack 1315363770 win 258

I have written the back up to C: and now desire to open these ports again, but I need advice please. Without DMZ enabled these ports appear closed. Is there a safe way to open them without enabling DMZ.

I will start a new thread about back ups, I naively stored them on a software RAID1 disk pair on the same machine. By luck or maybe design from Macrium Reflect the image files were not encrypted. I will ask in a more appropriate part of this forum about how to store back ups away from the machine that's being backed up. In hindsight I think I did a stupid thing in doing that!

Many thanks if anyone can advise if the port opening (only done two days ago) may have led to this attack, and how to safely open them without enabling DMZ which I believe may bypass the router firewall?
 

USAFRet

Titan
Moderator
Mar 16, 2013
119,693
3,194
159,340
19,372
Open ports.

Every IP address is scanned all the time. All day, every day.

They're not looking for you, they are looking for some inroad into a system.
An open port might reveal some info about the system behind it.
"Hi, this is a Traccer server! Please enter the username and password."

And then they will try to log onto that system.
Starting with the default username/password.
If you've not disabled that default...they're in.

If you have a trivial username/password...they're in.
You're screwed.
But probably not where the ransomware came from.
 
Reactions: Gatley

Math Geek

Champion
Ambassador
you need to use a different machine if you wish to run a server like that. it will always be very vulnerable due to the nature of running a tracker. mixing this with your personal use pc is asking for what you have seen over and over.

do yourself a favor and get another machine to attempt this on. you will never win the battle with software like that running.
 
Reactions: Gatley

USAFRet

Titan
Moderator
Mar 16, 2013
119,693
3,194
159,340
19,372
Open ports.

Every IP address is scanned all the time. All day, every day.

They're not looking for you, they are looking for some inroad into a system.
An open port might reveal some info about the system behind it.
"Hi, this is a Traccer server! Please enter the username and password."

And then they will try to log onto that system.
Starting with the default username/password.
If you've not disabled that default...they're in.

If you have a trivial username/password...they're in.
You're screwed.
But probably not where the ransomware came from.
 
Reactions: Gatley
Dec 21, 2019
5
0
10
0
Backups:


RAID 1 is not a backup.
Sorry, I didn't explain well, the software RAID is just for some storage redundancy, I was using Macrium Reflect to create back ups, but I was storing the backups on both the RAID1 Drive D and copied to Drive E as well, but all are on the same machine. I see now the vulnerability of saving any backup to any drive of the same machine, thanks,
 
Dec 21, 2019
5
0
10
0
you need to use a different machine if you wish to run a server like that. it will always be very vulnerable due to the nature of running a tracker. mixing this with your personal use pc is asking for what you have seen over and over.

do yourself a favor and get another machine to attempt this on. you will never win the battle with software like that running.
Yes, I was thinking similarly, I have a spare PC capable of running this server, but I was not sure if being on the same hard wired LAN as the others it would actually be any safer? Would it? If so I will probably take that route, many thanks.
 

USAFRet

Titan
Moderator
Mar 16, 2013
119,693
3,194
159,340
19,372
Yes, I was thinking similarly, I have a spare PC capable of running this server, but I was not sure if being on the same hard wired LAN as the others it would actually be any safer? Would it? If so I will probably take that route, many thanks.
Viruses, including ransomware, can and do screw up every system on the network.
 

Math Geek

Champion
Ambassador
would be safer for sure but of course still vulnerable. but as USAF noted i doubt you got the ransomware from the server anyway.

unless someone logged into your pc through the software and placed it there, which is highly unlikely, it came from somewhere else.

more than likely the nasty stuff came from elsewhere
 

ASK THE COMMUNITY

TRENDING THREADS