azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c467b0d2c40ff9be56c5a259bb69d79c65856ac
claudetools/clients/valleywide/session-logs/2026-04-13-rdweb-brute-force-incident.md
Mike Swanson 5169936cfc Session log: IMC SQL move + DISM repair attempt, VWP RDWeb brute-force incident, Dataforth API planning 
- IMC: document 716 GB SQL backup cleanup, retention scheduled task, DB move C:->S:, sysadmin grant via single-user recovery, parked RDS removal after KB5075999 apply rolled back on ETW manifest error
- Valleywide: document RDWeb brute-force incident on VWP-QBS, UDM port forward closure, 30-day audit showing no breach, lockout policy restoration
- Dataforth: capture Swagger API review and Hoffman Zoom call prep
2026-04-13 15:40:43 -07:00

4.3 KiB
Raw Blame History

Session Log: 2026-04-13 — RDWeb Brute-Force Incident

Summary

Originally asked to help find a Windows Server 2016 box that could serve as a DISM source for IMC's broken component store. Valleywide's VWP_ADSRVR turned out to be Server 2019 (wrong version), so not useful for IMC — but while investigating, we uncovered an active brute-force attack on Valleywide's publicly-exposed RDWeb and pivoted to incident response.

No compromise identified. Attack surface closed.

Timeline

  1. Asked user for SSH access — user provided the sysadmin local password and instructions to enable SSH on VWP_ADSRVR
  2. Added public key to C:\ProgramData\ssh\administrators_authorized_keys; key auth landed as vwp\guru (domain admin)
  3. Discovered server is Server 2019, not 2016 — unusable as DISM source for IMC
  4. User pivoted: "a number of accounts are/were locked out"
  5. Queried AD: lockout policy 5/16min/16min; scanner being locked out every ~20 min, 24/7 from VWP-QBS; also Receptionist once and Guest twice
  6. Initially hypothesized stale scanner credential on some device; checked VWP-QBS via Invoke-Command with vwp\sysadmin:
    • No services or scheduled tasks running as scanner
    • No stored credentials (cmdkey /list empty)
    • 4625 failed logons showed w3wp.exe as the caller process (IIS worker)
  7. Examined IIS config — no app pool running as scanner, no config file referenced scanner
  8. Checked IIS access logs (C:\inetpub\logs\LogFiles\W3SVC1\u_ex260413.log) — found distributed attack in progress: POST /RDWeb/Pages/en-US/login.aspx from dozens of public IPs (China, Belarus, UAE, etc.) at ~6 req/min
  9. User removed the UDM port forward exposing 443 to the internet
  10. Attack traffic kept arriving briefly (in-flight connections); performed iisreset on VWP-QBS to drain
  11. Verified: no IIS log activity after 17:15:28, no external established connections on 443
  12. Re-enabled domain lockout policy (had temporarily disabled at user's request during diagnosis)
  13. Ran 30-day 4624 audit for public IPv4 source addresses — zero successful external logons

Key finding

The scanner and Guest lockouts had nothing to do with internal stale credentials. They were the brute-force attacker trying common Windows usernames through the public-facing RDWeb portal. Lockout threshold 5 meant every 5 external attempts at scanner would trip the lockout, account auto-unlocked after 16 min, repeat.

Attacker source IPs observed (partial list, all public): 175.27.166.65, 1.13.91.38, 124.220.25.11, 116.63.167.144, 213.184.204.221, 49.235.60.135, 150.158.14.111, 129.211.14.197, 123.207.6.38, 111.231.15.117, 217.164.235.215, 203.143.83.36, 42.193.102.227, 124.71.205.87, 81.70.13.85, 139.9.90.166, 42.192.195.29, 177.21.61.100, 146.135.5.89

(Mix looks consistent with commodity botnet / residential proxy infrastructure — typical of opportunistic RDWeb sweeps.)

Actions taken

  • SSH key auth added for guru@VWP_ADSRVR
  • Default SSH shell: still cmd.exe (not changed — remote work used powershell -NoProfile -Command wrappers)
  • Domain lockout policy: temporarily set threshold=0 (disabled) during diagnosis → restored to 5 / 16min / 16min once attack cause was understood and UDM change was in place
  • IIS reset on VWP-QBS to drain attacker sessions (inetsrv W3SVC/WAS restarted)

Decisions / rationale

  • Disabling lockout was a mistake in retrospect — I did it assuming stale-credential loop before seeing the attack. Once external source was identified, restored immediately. Window: ~15 minutes.
  • Did not install IPBan — user chose to close exposure at the edge (UDM) instead. Appropriate since no documented need for public RDWeb was confirmed. IPBan recommended as a prerequisite if RDWeb is ever re-exposed.

Outstanding

  • Audit UDM for UPnP (could let the server re-punch a hole)
  • Document who actually needs RDWeb access and from where; if external is needed, require VPN + IPBan
  • Rotate scanner account password as hygiene (PasswordLastSet 2024-10-17)
  • Investigate the LastLogonDate: 9/28/2049 ghost on VWP-QBS AD object — likely time-skew artifact, cosmetic

Credentials referenced

  • vwp\sysadmin — used for Invoke-Command double-hop from VWP_ADSRVR to VWP-QBS. Password handled verbally, not stored here.
  • vwp\guru — domain admin, SSH key auth.
Reference in New Issue View Git Blame Copy Permalink