2

I use a German server for RDP.

Recently I received an email from my server provider that my server participated DDoS attack.

Can anyone point a direction on how to resolve the issue?

I have

  • changed my password to be a very strong one
  • turned on Windows Firewall.

This server is not serving any websites, it is only running some Windows software, accessed only by myself alone using RDP.

Could it be the Windows image has a trojan in it? My server was originally Linux, I installed Windows Server 2012R2 myself, following an online tutorial.

Although I highly suspect that maybe the cause, it may be other things that I have done wrong. Could anyone help?

Email forwarded:

Below is the technical email forwarded from the German Federal Office for Information Security (BSI).

NetBIOS defines a software interface and a naming convention. NetBIOS over TCP/IP provides the NetBIOS programming interface over the TCP/IP protocol.

Over the past months, systems responding to NetBIOS nameservice requests from anywhere on the Internet have been increasingly abused for DDoS reflection attacks against third parties.

Affected systems on your network:

Format: ASN | IP | Timestamp (UTC) | Workgroup name | Machine name XXXXX | 1XX.2XX.1XX.2XX | 2020-04-21 02:15:34 | WORKGROUP | KIMSUFI

We would like to ask you to check this issue and take appropriate steps to secure the NetBIOS nameservices services on the affected systems or notify your customers accordingly.

Dave M
  • 4,514
  • 22
  • 31
  • 30
stackmike
  • 21
  • 2
  • Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Nikita Kipriyanov Dec 14 '22 at 16:22

2 Answers2

2

You need to adjust your network settings. It doesn't sound like you need NetBIOS for anything in the use case you have detailed, so it is best to turn it off. Tap the Windows key, type in Control Panel<Enter>, choose Network and Sharing Center, then Change adapter settings. Right click the network adapter and choose Properties. Double click Internet Protocol Version 4. Click Advanced.... Choose the WINS tab. Under NetBIOS setting choose Disable NetBIOS over TCP/IP. That should stop it.

CB_Ron
  • 338
  • 2
  • 10
2

You should also go over your firewall settings if your server is exposed directly to the Internet, and shut down everything you don't need. Exposing RDP directly to the Internet is also a bit risky, so I'd recommend using a VPN to access the server if you aren't hosting anything that needs to be accessible from the Internet on that server.

Stuggi
  • 3,506
  • 4
  • 19
  • 36