6

I have a pc with static IP bought from my ISP and RDP enabled. I was using this PC for development and didn't tell or use it for any communication purpose so it's not possible that someone knew about it. But I got hacked with a ransomware and all my files are encrypted. Fortunately, I have a backup for everything. But I want to know how the hacker knew that there is a server on that static IP that is not attached to any domain or used by any public products (website, web-service ... etc)

Ammar Hussein
  • 171
  • 4
  • 5
    Possible duplicate of [Script Kiddies - how do they find my server IP?](https://security.stackexchange.com/questions/113456/script-kiddies-how-do-they-find-my-server-ip), [How do attackers find the IP addresses of recently deployed servers?](https://security.stackexchange.com/questions/106953/how-do-attackers-find-the-ip-addresses-of-recently-deployed-servers), [How does the attacker discover our server?](https://security.stackexchange.com/questions/154556/how-does-the-attacker-discover-our-server). – Steffen Ullrich Oct 18 '18 at 10:17
  • 2
    Ransomware is most commonly spread through email and infected files, not through direct connection to an IP. I would look for other reasons why you got hit by ransomware. – schroeder Oct 18 '18 at 11:53
  • @schroeder I just opened my pc and found there is a job opening a readme file that asks me to contact a strange mail sending them an id (they look to have many victims) if I want to restore my files. I also found all my database and back-end code encrypted (and other files like documents and binaries) I didn't open any mail or such thing on that PC as it's brand new. – Ammar Hussein Oct 18 '18 at 11:58
  • 2
    In my opinion, then you have a bigger problem than someone finding your IP. Either someone was able to log into your machine (in which case you should not be restoring files from backup, but rebuilding the machine from scratch and changing the RDP password) or the machine was infected from another source. You still have an open problem on your hands, and it's not an IP. – schroeder Oct 18 '18 at 12:03
  • @schroeder I'm going to install a red-hat server and close all remote ports except ssh and the port for my web-service hoping that would close the issue, Is it a good idea? – Ammar Hussein Oct 18 '18 at 12:09
  • 2
    As long as you remove the current OS and files, it doesn't matter what you replace them with. – schroeder Oct 18 '18 at 12:13

1 Answers1

34

I was using this PC for development and didn't tell or use it for any communication purpose so it's not possible that someone knew about it

The entire Internet is regularly port scanned, both by malware, attackers and researchers such as shodan.io. You can not expect any service accessible to the Internet to be unidentified for more than seconds after connecting it.

If you make anything available, secure it. Keep it patched. Disable unneeded features, and so on. Protocols that have a high impact and poor security record, such as RDP, should probably not be exposed directly, but shielded via for instance a VPN, or a SSH tunnel, so that the service is not externally accessible.

Your question is like asking why anyone broke into your house, when you didn't advertise the address in the newspaper or phone book: someone saw it there, and decided to break in.

vidarlo
  • 12,850
  • 2
  • 35
  • 47