Please if you run a dedicated server read this. A virus just killed my machine.

[Bossco82]

Hi Guys,

I run a DCS dedicated server in the UK with SRS. It does not connect to anything else, it only runs a DCS and SRS server. It was hacked sometime today and a trojan virus hidden as VPC.exe did a crypto ransomware attack. Locked out my whole desktop and locked all my drives. Windows was on :C and anything for the servers was on :E.

Nothing is downloaded to this machine, not even emails are checked. 

My first sign of a problem was higher than normal wattage being used on my plug in watt meter. Then I noticed 100% usage on the CPU and on board graphics. The CPU temp being overly high was also an obvious sign. 

Other signs were SRS cutting out at random for various users. Severe stuttering and lagging were also reported before the desktop and any access was locked out completely.

The servers were the DCS Hooligans so to anyone using them I am sorry but it will be down for the near future.

If your running a server take whatever precaution or checks you see necessary as this experience genuinely sucks. I hope this does not happen to anyone else and it is an isolated incident.

Can any experts on here advise on the potential that this could have carried via remote access hidden in a .miz file?? I share mission files with a PC in the USA, only concerned for my mates computer.

Cheers take it easy all.

[Tiger-II]

You "run a server". Do you own the server hardware or do you actually rent a server from a hosting company?

If the server in reality is a hosting company, then sue the life out of them.

If the server is yours, then the question is: did you disable anything you don't need, and run a tight firewall? By disable "anything you don't need", on my systems that means stuff like Windows Store is unable to function because certain system features are deleted. You can't run a Windows box without performing some major surgery if you want to keep it even slightly secure.

[Bossco82]

It was my own machine. I went through every security firewall I can think of. I'm not an expert but I'm no novice either.

There is a secure remote access setup with another user in the USA.

The blackmail email was a Wanheda @ dnmx.org and Wanheda @ cock.li

It was not isolated to the OS it went through drive  :C :E and a connected USB stick. Every single file was corrupted and the file name changed with an encrypted stamp.

Dont know how else to put that.

I do hope no-one else gets hit by something like this. I had a few guys looking forward to a WW2 session tomorrow.

System was running latest Windows 10. 

 

Edited December 25, 2022 by Bossco82

[Tiger-II]

I'm sorry to hear that.

Windows is just a major security headache. There is no real way to secure it - it is INsecure by design.

The only thing I can advise is that you (anyone, actually) keeps OFFLINE backups/copies of all their important data/files. By OFFLINE, I mean on a disk that they have physical control of that is NOT connected to any computer except to access data when required.

Any data used online (e.g. all day computing, or a server) should merely be a working copy that you can lose any time.

Online and offline do NOT refer to network! It refers to the "old" definition of storage being available to a system. If iy is unplugged/depowered and inaccessible, then a virus can't attack it.

Unfortunately, crypto miners and ransomware that encrypts everything is rampant, and the only defense is to have backups. The only safe way to restore such a system is to nuke the drives of an infected machine, and re-install from scratch. It is also much quicker (a couple of hours work).

Antivirus was always pretty much useless, but nowadays it is even more useless.

I'm not suggesting anything, but do you absolutely trust your friend in the US?

There was also this, recently: https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/

[Bossco82]

Hi Tiger,

Thanks for your reply, really appreciate it.

Luckily I treat the server machine as if it was a burner machine. I also keep copies of everything important on a 4tb back I, back up once a week. I'm a bit old school with back ups.

Nothing has been lost I can't fix with re-formatting, re-installing and time.

It was a wake up call that could have been more costly.

Take care mate, thanks again for taking the time to reply. 

[Dangerzone]

50 minutes ago, Bossco82 said:

There is a secure remote access setup with another user in the USA.

What remote access protocol or software was being used? was it something like TeamViewer, a VPN, etc?

[Bossco82]

A Windows RDP connection with a member from my Discord channel. I have the same connection with them. To upload .miz files. That connection won't be used anytime soon!

One mission file ran on mine, UK. One mission file ran on his, USA. Im the sole mission builder. He works in networking I trusted his advise. I thought what we were sharing was secure. He helped setup my SRS recently.

So far my gaming machine which shares the same physical router seems unaffected. That machine has no RDP setup at all.

The purpose of this post was to prevent anyone else getting their servers attacked in this way. I would rather know what mistake I made and fix it. 

Cheers.

[Dangerzone]

Ok. I’ve personally seen a number of RDP connections hacked. Unless you have some additional protection such as 2FA, vpn, firewall blocking all ips except the remote one etc it’s not too difficult to get hacked at all these days. I’d suspect this over a miz file myself. 

If you had additional security layers such as RDP over VPN, then maybe need to dig deeper, but if it’s a straight forward RDP port open to the web then  I’d consider building the next setup with some extra layers of protection and that would be my primary suspect. 

If you still suspect the miz, upload it here and others can take a gander. 

Cheers

Edited December 25, 2022 by Dangerzone

[Mars Exulte]

Sorry for your misfortune. This is a good reminder why I keep 3-4 separate physicalmy separated copies of all important documents and files : one on my phone, one on a shock resistant portable drive, and one on my PC. All copies are updated every few months.

I recently lost my phone, but thanks to my triple redundant backups, I lost nothing significant just a couple months worth of photos and memes :p

[Bossco82]

Mars, and Danger thank you for your replies.

Straight forward RDP I'm afraid. I trusted it.

I have a couple of .miz files from way back. I will update those to my latest standards and go from there. You might think it odd I still keep a paper book notepad, lol! A whole year at a time anything important goes in it.

Thanks for your advise.

Merry Xmas and take it easy.

Edited December 25, 2022 by Bossco82

[Dangerzone]

14 hours ago, Bossco82 said:

Mars, and Danger thank you for your replies.

Straight forward RDP I'm afraid. I trusted it.

I have a couple of .miz files from way back. I will update those to my latest standards and go from there. You might think it odd I still keep a paper book notepad, lol! A whole year at a time anything important goes in it.

Thanks for your advise.

Merry Xmas and take it easy.

 

Nothing weird about paper mate - hackers can't get to that! And straight RDP... I'd bet 10:1 that's where the attack came from. The good news / silver lining is that you've been able to now identify the likely method used, and it's an easy fix to deal with it when you do your reinstall. 

[BitMaster]

Never ever allow RDP 3389/tcp directly from www-->srv .  That was bound to fail.

Check if your Router supports a VPN and use that for your pal. With VPN, RDP is no security issue.

Just don't open 3389/tcp on the router for any given Windows machine inside your network !!!!!!

 

I use a professional Teamviewer subscription mainly but also use VPN-RDP for some clients sometimes.

You can try Teamviewer for private use for free and see if it works consistently or starts to say " suspect professional use..." and cut off.

If you do too many different PC's it will act up and moan but its ok for occasional usage to a rather short list of PC's.

 

Windows in not per se insecure, it is as safe as you make it or as unsafe as you let it be.

If you only open  the DCS ports in your firewall to the specific DCS-SRV it is ok,

just do net set that machine into a DMZ, that would be a disaster of the highest order.

Use a Windows SRV over a Windows Client, disable services, keep it sleek.

 

Maybe invest in another router if yours does not offer VPN.

 

* Any Backup on any internal or USB drive would be encrypted too !!  

My tip: Use a backup software that can use SFTP ( Acronis ) and connect to a NAS that only runs SSH service, no Windows File Sharing service activated. 

That is how I secure my clients on premise Backups.

 

Seen a lot of encrypted servers, it's not funny at all, it is disgusting and utmost criminal.

 

 

[Bossco82]

Thanks Bitmaster,

I am not going to pretend to understand all of that. Networking and security has always been something I struggle to fully understand. I must fix this very soon.

I wont be allowing any RDP access to my machine anymore. I reset all permissions on my router too.

I only have opened what is needed for DCS server and SRS.

There was nothing on the machine except the actual DCS server SRS server and Windows 10. So it was easily just reset. A friend donated a new SSD with Windows pre-installed so any infected drive is not in the machine anymore.

Bitmaster, this might be a stupid question but they can only infect any USB drives that were physically plugged in at the time right?? I backup to a USB stick and then unplug it and leave it in a cupboard, same with a USB dock for mech drives. I backup and remove so if anything like this happens. I can load those files to a new SSD.

One final thing, what does 3389/tcp do?

Thanks again for the replies.

Edited December 26, 2022 by Bossco82

[Lange_666]

7 hours ago, Bossco82 said:

Bitmaster, this might be a stupid question but they can only infect any USB drives that were physically plugged in at the time right?? I backup to a USB stick and then unplug it and leave it in a cupboard.

That's like getting pregnant without...

[Hoirtel]

14 hours ago, BitMaster said:

Windows in not per se insecure, it is as safe as you make it or as unsafe as you let it be.

If you only open  the DCS ports in your firewall to the specific DCS-SRV it is ok,

just do net set that machine into a DMZ, that would be a disaster of the highest order.

Use a Windows SRV over a Windows Client, disable services, keep it sleek.

 

Not sure I understand this information, but it sounds important! What would be setting a machine into a DMZ?

Thanks to @Bossco82for sharing this. Important lessons for us all. I do worry a little about server security so it's good to learn as much as I can.

[Bossco82]

Hi Lange,

I thought the same mate, however this left me with a bit of paranoia to be honest. I feel like a plonker now lol!!

For anyone reading this I am not an expert on networking security. I was offered advise that sounded legit and I went with it. Don't do that. This forum is a goldmine, you can ask a group. If you get the same answer from different people at the same time. That will probably be legit.

Thank you to everyone who replied, my server is back up and ok. With the security flaw fixed.

[BitMaster]

I try to keep it as simple as possible to make something out of it.... tho I have a terrible flew and my head feels like 2m wide

 

Any service on a network needs one or more ports and a port can only be used by one service.

DCS uses several ports with multiple protocols, 10308 tcp & udp for gameplay, 10309 tcp & udp voice. It also uses other ports but those do not need to be opened to the public network

for various reasons. 5222 XMP is outbound only, same for 80 & 443, all tcp. You do not need and actually should not open those incoming ports at all. You may want to open the WebGUI to public but I think that is not such a good idea, use VPN instead and allow only local WebGUI access.

 

What is a DMZ or Demilitarized Zone:

It means that any Machine you put in there is NOT protected by the Firewall but directly accessible on all 65535 Ports by anyone from the public net.  Not a good idea in 99% of scenarios.

 

Strictly only allow ports and protocols inbound that you REALLY need for:  anonymous/world/POSSIBLE_BAD_GUY connections. 

examples:  Mail Server : 25 or 465 or 587,  the 3 relevant Mail ports, all tcp

                  Web Server: 443   nothing else   only 1 https, tcp

                  DCS Server   10308 tcp & udp  simualtion service

                                        10309 tcp&udp  voice service

 

When you open those ports, they bypass the firewall and only a unknown to me firewall that could sense the DCS net-protocol in its Application Proxy could maybe control DCS netstreams. Only a handfull of games, mostly web based games, are pre-included in high end firewalls with such filters. I havent seen DCS among them in the list.

 

            

 

Use well protected Remote Services only. Teamviewer ( might need a license ) or VPN + RDP.  

 

 

 

 

 

[reece146]

A DMZ should never be an unprotected network segment. Think of it more as a different security level zone compared to you internal network.

[tomcat_driver]

DMZ is not automatically insecure by default. It's a third interface to place internet facing services. You can setup it's filtering in any professional prosumer firewall just like any of the other interfaces.

A few recommendation of my part. If the hacked system was in the same network as the rest of your devices, you should be concerned. Your network is already compromised. If you haven't yet, you should at a minimum report the cybercrime to your local authority : https://www.gov.uk/guidance/where-to-report-a-cyber-incident

I'd also recommend backing up your whole system, format everything and quarantine the backup by restoring it in an isolate virtual machine.

Also, if you haven't yet, you should start using a firewall device. A Pfsense should be enough in most cases and allows you to manipulate features usually found on top of the line devices like Fortinet. But make sure you understand that any firewall or security device is just as secure as the level of knowledge of the user who sets it up. Learn as much as you can. Tutorials are everywhere. You can even build your Pfsense from an old laptop using an USB-Ethernet adapter for the second required port.

I haven't tried it myself with DCS, but it should work. For the traffic list above by BitMaster, with Pfsense or any pro/prosumer firewall, you can apply IPS/IDS filtering to the application's traffic. 

Passwords. Better late than sorry. Start changing all of them and whenever possible, MFA. You can have an MFA authenticator on your phone like google's or Microsoft's. For the passwords, I recommend you use a password manager like Keepass to generate and store your passwords. You can generate completely random 20+ characters passwords 

Edited December 29, 2022 by tomcat_driver

[Bossco82]

21 minutes ago, tomcat_driver said:

DMZ is not automatically insecure by default. It's a third interface to place internet facing services. You can setup it's filtering in any professional prosumer firewall just like any of the other interfaces.

A few recommendation of my part. If the hacked system was in the same network as the rest of your devices, you should be concerned. Your network is already compromised. If you haven't yet, you should at a minimum report the cybercrime to your local authority : https://www.gov.uk/guidance/where-to-report-a-cyber-incident

I'd also recommend backing up your whole system, format everything and quarantine the backup by restoring it in an isolate virtual machine.

Also, if you haven't yet, you should start using a firewall device. A Pfsense should be enough in most cases and allows you to manipulate features usually found on top of the line devices like Fortinet. But make sure you understand that any firewall or security device is just as secure as the level of knowledge of the user who sets it up. Learn as much as you can. Tutorials are everywhere. You can even build your Pfsense from an old laptop using an USB-Ethernet adapter for the second required port.

I haven't tried it myself with DCS, but it should work. For the traffic list above by BitMaster, with Pfsense or any pro/prosumer firewall, you can apply IPS/IDS filtering to the application's traffic. 

Passwords. Better late than sorry. Start changing all of them and whenever possible, MFA. You can have an MFA authenticator on your phone like google's or Microsoft's. For the passwords, I recommend you use a password manager like Keepass to generate and store your passwords. You can generate completely random 20+ characters passwords 

 

Thank you mate most of this is already done. It has also been reported to the UK action fraud department, they were very helpful. The guy I was sharing my mission files with for the DCS server left port 3389 open on my router. It only had access to my server machine so he could restart it if there was a crash. I did not know this could be a security problem. I should have looked into it further, been more responsible about protecting my own machine. This is a mistake I wont forget.

The router and its firewall have been reset to defaults, I have the server back up and running. I'm not allowing anyone to have access through my routers firewall anytime soon. Only the ports for the DCS server to run are open. Back ups etc have been made. 

Thank you for the replies and the messages. As I said up above this forum is a gold mine of useful and helpful people.

[SkateZilla]

Good Afternoon Teams!,


Just chiming in, as I have recently also been Crypto Jacked (as it's called).

In my case, during a recent overclocking endevour, the CryptoMiner, was installed via a re-built package for Overclocking software,

After installing, whenever Taskmanager or ProcessExplorer were run, it would pause itself, I was able to localize it by renaming process explorer.exe to something else (ie yup.exe).

When Launched I had a ConHost.exe running all 16 Threads full tilt boogie @ 4.5Ghz, my fans were sounding like a jet powering up, and my temps were hitting 75C.

Windows Virus Scan didn't pick it up, malware bytes picked up part of it, but there's still that lingering command line somewhere at startup that download and launches the same process again, 

So I'm literally going thru my autoruns log, and turning off everything and enabling items one by one to see when the Process comes back.

Be careful what you download and where, I have also seen reports around the web from other hardware tuners, that they've been hit with Crypto-Miners thru re-distributed Overclocking software.

Typically the best option is an Offline Scan (prior to windows loading). w/ Safe mode scan coming in 2nd.

Edited December 29, 2022 by SkateZilla

[tomcat_driver]

Good luck there mate. If by any chance it was that afterburner crypto miner, my recommendation to change all your passwords should also be valid to you. There are reports of that it also steals all your passwords, specially those saved by your browsers.

Regarding the miner's persistence, don't forget about the registry:

https://attack.mitre.org/techniques/T1547/001/

[mirq]

Good topic, but discussing only about Windows security it's a little off topic here.

 

I would like to hear about DCS server vulnerabilities and  exploits. leave alone Windows, there are plenty of resources about Windows on google to learn about.

 

What about DCS server (stable and beta) vulnerabilities ? Does anybody know anything about it ?

I observed players who stay connected for hours being spectators. Do they use an established connection to my server to run custom commands on server ? 

 

Also I noticed around 30 IP addresses that DCS sever are connected to via UDP. They might be CDN sources, but my server only transmits data, never receives anything from them. 

 

Edited January 1, 2023 by mirq

[BitMaster]

In my understanding of that Address list, most of your open connections in that list are home users with their cable/dsl ISP. 

Possible explanation, those are DCS Players in MP scanning available servers....

 

 

 

 

 

 

[mirq]

Thats a good explanation. I will check this scenario. Hopefuly its like that.

Stilll , the main concern is about dcs vulnerability. I cant see in changelogs fixes of some problems. It is a blackbox. Some guys might exploit it.