A week ago, a client has suffered from a weird Windows Server 2003 ISA 2004 behavior, as it began to restart every few minutes after a Blue Screen Of Death (BSOD), leaving a Stop Error 0x000050 or x00007e. Our technical guy suspected the RAM module and swapped it with another one and in another slot, still the same problem.
I started to debug the memory dumps with Windbg which suggested that the error is caused by RDPWD.SYS.
Hence I asked them to disable the RDP totally on this server until there is a remedy for it, a few days later, the same problem occurred with some other ISA/TMG Windows 2003 & 2008 servers with a couple of other clients, we have told them the same workaround, to disable the RDP on the Internet facing servers and use something else for remote administration if it's a must, they did as being told and bingo, their problems are gone.
I didn't recommend monitoring the incoming connections to the servers and blocking the attacking ones as it could be initiated from a lot of zombies, and would be impossible to block all of them IP addresses blocks.
Could it be a 0day attack against RDP service? Could it be an old not-so-famous exploit that is causing DoS to fully patched versions? I can't tell for sure as currently I'm not running a honeypot and I haven't enough time to start analyzing this specific attack, I'll try analyzing this attack as soon as I can spare some time for this interesting task.
I started to debug the memory dumps with Windbg which suggested that the error is caused by RDPWD.SYS.
Hence I asked them to disable the RDP totally on this server until there is a remedy for it, a few days later, the same problem occurred with some other ISA/TMG Windows 2003 & 2008 servers with a couple of other clients, we have told them the same workaround, to disable the RDP on the Internet facing servers and use something else for remote administration if it's a must, they did as being told and bingo, their problems are gone.
I didn't recommend monitoring the incoming connections to the servers and blocking the attacking ones as it could be initiated from a lot of zombies, and would be impossible to block all of them IP addresses blocks.
Could it be a 0day attack against RDP service? Could it be an old not-so-famous exploit that is causing DoS to fully patched versions? I can't tell for sure as currently I'm not running a honeypot and I haven't enough time to start analyzing this specific attack, I'll try analyzing this attack as soon as I can spare some time for this interesting task.
Can I ask the Server has public Ip
ReplyDeleteIn the two cases
Yes of course, the attack was against the public IPs of the servers.
Delete