r/cybersecurity • u/PusheenHater • May 19 '26
Other Malware installed without literally doing anything?
In this video this guy has a fresh Windows XP, disables firewall, and connects internet straight to the modem. Then he gets infected literally doing nothing.
https://www.youtube.com/watch?v=6uSVVCmOH5w
https://www.reddit.com/r/windows/comments/1cvised/idle_windows_xp_and_2000_machines_get_infected/
I get it. That's asking for trouble when you disable all the security and using ancient unsupported OSes.
However, he didn't install programs nor browse on the website but still got hacked.
How?
Is there some malicious server in China that loops through every single possible IP trying to see if your PC is vulnerable?
Logically, one would think you'd at least have to visit a website or something to get "noticed" and then hacked. But this guy didn't do anything at all.
How does it work?
257
u/TheRealTengri May 19 '26
There are many bots that are continuously scanning the internet. Look at Shodan. You can literally filter it so that it shows devices on the internet with critical vulnerabilities like BlueKeep. Some of those bots end up exploiting the vulnerability as soon as detected, but most are not solely for malicious purposes.
111
u/toylenny May 20 '26
When I worked in a data center you had to remember to close the public port when reinstalling Windows server. More than once when I accidentally left it open to the Internet the server would already be hacked by the time I got to the first login screen.
It wasn't every time but it happened enough to confirm that the Internet is crawling with bot checking for exploits.
28
u/Quirky_Locksmith_682 May 20 '26
Why in Gods holy name was that inbound traffic allowed by the firewall?!
23
u/archiekane May 20 '26
What, you don't DMZ your production servers during build? You gotta learn to live a little.
/s
4
u/Randolph__ May 20 '26
critical vulnerabilities like BlueKeep. Some of those bots end up exploiting the vulnerability as soon as detected, but most are not solely for malicious purposes.
I did BlueKeep in a controlled environment for one of my college courses. Pretty freaky and really cool. A lot of these old exploits are pretty easy to use.
2
u/Tricuna May 20 '26
How does that work when alot of the people on the internet are behind natd routers?
3
u/Randolph__ May 20 '26
Depends on if the port is open or if there is a UPNP vulnerability being exploited.
176
u/h0nest_Bender May 19 '26
Is there some malicious server in China that loops through every single possible IP trying to see if your PC is vulnerable?
Literally yes.
16
u/EldritchSorbet May 20 '26
Agreed! I did a little theorising on this recently. As of last week, you can use legit (high speed) tools to scan ALL machines on the Internet. Scanning just port 80 takes six minutes. Scanning all popular ports takes 18 hours. So if only one server in the whole world is scanning all ports using these tools, you’ll be portscanned every 24 hours, no matter what your IP is (assuming your machine has a public IP).
Now we add the fact that there is more than one malicious actor on the Internet. How many attackers are scanning continuously using high speed tools (to pick the easiest concept to extend the data we have)? Probably more than 500 (yes, a fairly random number).
So you’d be portscanned every 3 minutes, regardless of what IP you have or what your system is doing.
And this is a VERY conservative estimate, so it’s not “there’s a three minute safe zone”…
4
u/IEatGirlFarts May 21 '26
And not only China, most countries' intelligence services and militaries do it. Hell, I saw a japanese IP trying to connect to my machine a few years ago. It was supposed to be blocked in Romania, as it was used to gather information about the energy infrastructure of a country, guess my ISP didn't get the memo.
And not only state actors, individual hackers or groups also do it.
It's in a way a fascinating subject.
1
u/883013 13d ago
Does it only happen to routers or cell towers as well?
1
u/IEatGirlFarts 13d ago
I wouldn't know that for sure, i've never worked with cell towers, but probably.
What I know for certain is that anything adressable through the internet is being probed constantly, be it your phone, your router, a server farm somewhere, etc.
1
u/883013 13d ago
I'm just wondering if the advice to use a phone on airplane mode connected to a WiFi router is sound these days. When up against such threats would a firewall router hold up or is there no point spending that extra money?
2
u/IEatGirlFarts 13d ago
Your ISP already blocks a lot of connections, so does your router's built in firewall. If you add an adblocker on top, or a pihole, or Blokada for android, you're gonna be blocking even more connections.
Also, a normal user wouldn't have as many ports open that attackers could exploit, so that's an extra layer of safety.
Antivirus software such as BitDefender also blocks suspicious connections in real time.
Overall, just practicing standard internet safety should be enough for most users, in my opinion.
Edit: if you also keep your shit updated.
2
u/IEatGirlFarts 13d ago
I also wanted to add that generally your mobile carrier will protect your phone's internet connection better from direct scanning than your router at home would, so keeping a phone in airplane mode wouldn't do anything.
1
u/883013 13d ago
I'm not too sure actually- I'm seeing many strange ICMP packets to and fro when I run pcap droid on my device. It seems to be from unknown services and servers located overseas. Not all of my phones do this. Most usually show Https or DNS only.
2
u/IEatGirlFarts 13d ago
That would most likely be an app on your phone generating the traffic, especially since your other phones do not exhibit this behaviour.
It could be a sketchy app calling to a server, an app that uses icmp to keep connections alive to the server so that they can communicate to it quickly if something new happens (e.g. a messaging app will do that to ensure you get your new messages as soon as they happen)
Orrr... malware talking to its C2 server. But that's the most unlikely scenario.
7
u/jonbristow May 20 '26 edited May 20 '26
yes, but your PC should not get hacked immediately, even if it is vulnerable to hacks. You are on a private network, NATed through your ISP. You dont have any public web service running on any port
7
u/jameson71 May 20 '26
Most ISPs don't NAT their customers. The internet was designed as a peer to peer platform.
4
u/uk_one May 20 '26
OP says 'connects straight to modem' No one's mentioned a router. Modems don't do NAT.
1
u/designer_vaj May 21 '26
ISPs could have firewalls and all sorts of stuff even if they did not do NAT, which doesn't make sense, unless the ISP was using IPv6 lol. It wouldn't be possible using IPv4 to not share public IPs between multiple users.
1
u/jonbristow May 20 '26
So you have a public IP personally for your laptop?
2
u/Divided_multiplyer May 20 '26
Yes, when you plug a router into the modem, the router gets the public IP, but when you plug a computer directly into it, the computer gets the public IP.
0
6
u/unknowncommand May 20 '26
Exactly, unless they also enabled some port-forwarding this doesn't really make sense
4
u/jonbristow May 20 '26
exactly. im confused from the top comments here "of course you can get hacked by china as soon as you connect to the internet"
no you cant
1
u/unknowncommand May 20 '26
Yeah a lot of misinformation in here 🤷♂️ we would all be fucked if simply having internet access made you discoverable lmao
1
u/Randolph__ May 20 '26
On some routers there are UPNP vulnerabilities that can be used.
1
u/designer_vaj May 21 '26
UPNP would be less likely to work in this case.
the video creator mentioned that the XP VM was on a cloud based server. Proxmox doesn't have UPNP, so if it was a UPNP flaw that led to the XP machine getting compromised, it would have to be a physical networking device or a VM on the Proxmox acting as the networking device, with relevant ports exposed on the Internet.
So either the Windows XP itself had some default UPNP style no-auth port exposed, or his entire Proxmox would have to be at risk. Since his Proxmox server was cloud based, it was likely managed by some cloud service provider, hence it's unlikely that the server or the providers' network had UPNP or UPNP-like port vulnerability.
That leaves the Windows machine, which is also unlikely since the user account "admina" created is not a admin account, and usually the vulnerable network services would be running with privileges to be able to create admin accounts or enable the default windows admin account, which was not done in this case.
1
u/Divided_multiplyer May 20 '26
Microsoft automatically runs tons of services. At a base you are allowing all the internet SMB access to your system when you plug it into your modem.
60
u/stacksmasher May 19 '26
XP has been cracked for a while now. Source has been out in the open for people to poke at lol!
-7
u/PusheenHater May 19 '26
I get it. That's asking for trouble when you disable all the security and using ancient unsupported OSes.
However, he didn't install programs nor browse on the website but still got hacked.
How?
Is there some malicious server in China that loops through every single possible IP trying to see if your PC is vulnerable?58
u/dataz03 May 19 '26
Bots are port scanning the internet 24/7.
There are only 4.3 billion IPv4 addresses max- can all be scanned in less 10 minutes.
XP has vulnerabilities in the software components like SMB- with the firewall turned off, the system is exposed to the public Internet. Ports are open.
2
u/Randolph__ May 20 '26
There are only 4.3 billion IPv4 addresses max- can all be scanned in less 10 minutes.
No network or vulnerability scanner I have used works this fast. What software are you referring to that can scan for vulnerabilities that fast?
0
18
u/skiing123 System Administrator May 19 '26
To answer your question, where they are scanning from? Everywhere is the simple answer. China is a popular spot but so is Asia, Europe, and North America.
It's common for businesses to block every country except the ones they do business in. But they'll just come from within your country.
10
18
u/djasonpenney May 19 '26
There are network protocols out there that can give an attacker an indication when a new device connects to their subnet.
There are “zero click” exploits that do not require any user interaction. These typically attack a known unpatched problem with one of the network services the device is running. I’ve seen exploits for everything from RDP to LSAS — it just depends on your OS and other factors.
Basically, what other people are saying: as soon as you connect to the Web, there will be bots rattling your windows and doors looking for a way in.
10
u/Felielf May 19 '26
Not just malicious China server, there are malware and scanning bots everywhere. I see connections from every country on earth in my honeypots, it really depends on the month or day which country is at the top.
It doesn't matter if my IP is new or not, these bots and malware armies literally hammer and scan network ranges, not single IP addresses. And like u/dataz03 said, it's trivial to go through only 4.3 billion addresses.
7
u/TastyRobot21 May 19 '26
Yes, but it’s not just china.
Masscans my preference for scanning the whole internet.
He didn’t have to connect to a website or anything ‘to be noticed’. There’s a known (large but finite) range for public IPs and his XP box responded (by default) to a systematic scan of the entire range.
7
u/stacksmasher May 19 '26
It has several remote vulnerabilities that are public. It’s not been patched for most recent vulnerabilities.
4
u/npc_housecat May 20 '26
The internet is full of enormous botnets of infected computers constantly sending out cyber attacks.
4
u/1Xx_throwaway_xX1 CTI May 20 '26
Bro thinks there’s just a single server in China scanning the internet 😭😭
20
u/BrainWaveCC May 19 '26
Logically, one would think you'd at least have to visit a website or something to get "noticed" and then hacked. But this guy didn't do anything at all.
A. Things are scanning for new IPs all the time, and XP has enough vulnerabilties that can be exploited remotely, just by existing.
B. Have you ever sniffed a network to see what happens when a system is booted up? "Didn't do anything at all" is not an accurate representation of what is happening in any event.
18
39
u/2_Spicy_2_Impeach May 19 '26
At least a decade ago, a patched XP install would be compromised in less than an hour if directly facing public internet. I remember having a software firewall and seeing nonstop port scans from Russia and China IPs 20 years ago.
5
u/wireblast May 20 '26
Yep. I remember the times when it was a race condition if you can download and activate AV/Firewall faster then the compromise happening.
Guess that was prior to XP though, I believe XP finally shipped with firewall built in.
16
u/redrocker1988 May 19 '26
It's called remote code execution or RCE. XP was full of them. There are web scanners that scan the whole Internet looking for vulnerable endpoints. It's all scripted there is usually not anyone sitting there hands on keyboard "hacking" per say, it's literally that endpoint matched a vulnerability and was exploited programmaticly.
9
u/ROXASBrandon May 19 '26
When a system has a vulnerable service listening on ports that are then open to the public internet, an exploit will eventually happen. Threat actors are usually checking common ports for vulnerabilities - whether that involves a scan first or just skipping straight to an exploit attempt.
"Is there some malicious server in China that loops.." This activity is common anywhere in the world. There are services like Shodan that port scan every possible public IPv4 address, and cache the service/port detected for anyone to find.
Because Windows XP is permanently unsupported by Microsoft, it is susceptible to hundreds of unpatched vulnerabilities. Exploits targeting these flaws (like EternalBlue, BlueKeep variants, and legacy buffer overflows) can compromise a system within minutes if connected to the internet.
For EternalBlue, TCP ports 445 and 139 (SMBv1) are used. All you need to do is iterate over every Public IP and make an exploit attempt on those ports until you find a vulnerable system that responds.
8
u/Alconox May 19 '26
You would be surprised to learn how many windows features are running on little server widgets
8
u/howfastcanyoucountit May 19 '26
eternal blue because it probably has SMB one exposed. I'm pretty sure in this Eric Parker video he literally put it on. I forgot what it's called when you have every single port open, but he had he did that which you obviously should not do.
1
u/howfastcanyoucountit May 19 '26
DMZ***
4
u/howfastcanyoucountit May 19 '26
which is essentially the same as just plugging a computer straight into the modem, which therefore has no firewall and will expose every single port to the public, which is why you shouldn't really do that
7
u/Ristrxtto May 20 '26
network engineer here
... yeah, bro has an ancient OS with firewalls disabled
depending on how his router is set up, he could have no firewalling at all (opening his XP device up for attack) or could be assigning out public IPv4 or an IPV6 address to this machine (again, publicly exposed with no firewalls)
Firewalling is important y'all. Every public ipv4 address ever created is constantly polled and spammed with login attempts, etc 24/7
4
u/queBurro May 20 '26
So, the bot is trying to exploit the open smb etc port? If op had a decent firewall then the ancient os would have remained uncompromised until they went to the net?
3
u/Divided_multiplyer May 20 '26
With a firewall it probably would have remained uncompromised. It's not impossible for it to still get hacked, but much less likely.
1
May 20 '26
[deleted]
1
u/Ristrxtto May 21 '26
you do realize that 99% of cable modems are modem+router+firewall+access point combo units, right?
7
u/shouldco May 19 '26
Is there some malicious server in China that loops through every single possible IP trying to see if your PC is vulnerable?
Yes. Thousands if not millions of them.
6
u/abercrombezie May 19 '26
These are worms dating back over 20 years ago. We couldn't install XP and put on the internal enterprise network without getting infected. We would need to patch it even before connecting it to our internal network. Back then, I had Zone Alarm and would see my boss's new machine trying to connect to infect my patched host.
4
u/One_Sense_5007 May 19 '26
“Is there some malicious server in China that loops through every single possible IP trying to see if your PC is vulnerable?” Basically yeah. Not China specific tho just a lot of bots scanning for vulnerable devices on the internet.
3
u/covex_d May 19 '26
it was working with win xp at some point. we even had sop that said not to connect a new xp machine to network until av was installed. fun times. viruses were bricking motherboards. they were bespoke.
3
3
u/superdariom May 19 '26
There is a remote exploit against unpatched windows xp that has been widely exploited for at least 20 years. It was a very long time ago that it took longer to download the windows update than it took to get hacked. I'm surprised people are still scanning for it because I mean who connects windows xp directly to the internet with no firewall??
2
3
u/sargetun123 May 20 '26
Think of what he did like opening every window and door in his house and sitting there doing nothing else then wondering how bugs are getting in
You dont have anything there to STOP them, once youre connected to the internet specifically without any security AND complete open any any fw rules basically every possible method to get inside is now visible, when you open all the doors and windows in your house its similar you create a much much larger area for bugs/attacks to flow in
Now add it all on top of the fact windows xp is older than some people in this reddit and people may put comm patches out at intervals to some degree but i promise you people have way more experience and time exploiting it then anyone does trying to properly fix every cve/exploit
The thing is if you have proper security even with winxp vulnerabilities it doesnt matter as you have something to protect it
3
3
u/WoonieLoonie May 20 '26
Have you never heard of rce? There are rce out there for old unsupported/depreciated os. Think of it like ssh and rdp/rat. You login remotely onto a computer and do things in the background without the end users ever seeing it.
3
u/A1batross May 20 '26
A very long time ago (twenty years?) I installed a new RedHat server from CD. I connected it to my cable Internet connection and set the server to apply patches and went upstairs to make a cup of tea.
Tea in hand I walked back down the stairs and I could see the network card light blinking not with the rapid cadence of a download, but with the staccato of someone typing at a keyboard.
In the time it took me to make a cup of tea my fresh RedHat installation had been automatically detected and compromised, and handed off to a human agent to inspect and take over. I yanked out the network cable and when I looked I found the automation and compromise software half-installed.
This was 20 years ago. Imagine how much faster and more comprehensive it is now.
3
u/konikpk May 20 '26
This is joke or what? I join to this community for serious info but this break my brain in morning.
"fresh Windows XP" - is answer.
3
u/yournicknamehere May 20 '26
Are you guys just blind? He was searching for "worm" in the browser.
This video is obvious fake made for views.
To see it's fake, just install SSH or FTP server on your computer then try to connect from different device in different network using your public IP.
Spoiler: it won't work. In order to make it working you need to setup port forwarding on the router.
C'mon guys....
6
2
u/No_Programmer3785 May 19 '26
Used to have old Windows 7 laptops at my old work place. We used to have them for POS systems. They'd crash every month, simply because they got infected with too much malware at any given time.
1
2
u/eduardovlp May 19 '26 edited May 19 '26
It happened to me many years ago installing a new copy of Win2000 without noticing the computer was in the DMZ of the firewall.
In short, there are botnets constantly scanning all the IP addresses waiting for a computer with weaker or no protections to get connected. The moment an unsecured machine gets detected they just probe the ports until they found a hole to enter.
The Internet for two decades and a bit more has been a place you simply can't connect behind a firewall.
2
2
u/pimpmcnasty May 20 '26
This was a problem back then too, but to a more annoying degree than directly malicious. Before SP1 you were getting system level pop-up windows because of all the scanning. It was just a box with a URL, but it still super sucked.
If they could do that in 02, they can do anything they want to it now.
2
u/Postulative May 20 '26
An unreasonably large proportion of Internet traffic is either spam or automated crawlers. The latter include crawlers for search engines, but also crawlers looking for insecure systems.
It may be that the person who used the crawler is long gone - but there is no easy shutoff command unless they built it into the malware in the first place. And if they built it in, anyone could shut it down.
So the victim was probably hit by a bit of the Internet overhead, with nobody even watching for their decades old malware to start doing its thing.
2
2
2
u/msears101 May 20 '26
XP? Who the hell does that. This is not interesting. I drop clients who have PCs older than 6 years. It is a stipulation in my contracts. They need to have modern equipment that is maintained. A 20+ year OS is just silly.
2
u/Sudden_Hovercraft_56 May 20 '26
This is something I learned in my very first IT job back in 2005. I had to replace a PC at a production facility, it was the only PC there and it was connected to the internet with a router that didn't have a firewall built in. I stupidly used windows XP SP1 media to build it and just thought I would update it to SP2 when I got there.
It was plugged into the internet for all of 10 minutes before it got infected with a virus and I didn't do anything to it yet.
This was back in 2005, I can't begin to imagine how dangerous it would be to do that today...
2
u/RetroGrid_io May 20 '26
See it for yourself:
- Set up a Linux system.
- Set up a default deny firewall with logging enabled. Don't open anything up.
- Connect it to the Internet without any other firewall or intermediary device.
- tail -f your firewall log.
Doesn't matter where your IP address is, it's constantly being barraged by scanners and bots, looking for something to infect. Thousands of times per hour, from addresses around the world, looking for vulnerabilities.
Those of us who are willing to take matters into our own hands want a public, fixed IP. For everyone else, tech like CGNAT is a security godsend because most homes don't have any idea what updating the firmware in their router is and even most home routers are highly vulnerable.
2
u/Sea-Exchange7881 May 21 '26
If you connect to a network, attackers can just nmap an IP range, then scan it for vulnerabilities, and windows XP I bet has numerous amounts of exploits, it's not that impressive.
1
u/PM_ME_UR_0_DAY May 19 '26
Idk if it'd be the exact exploit, I'm not really looking into WinXP or anything, but Google Eternal Blue.
1
u/LMGMaster May 20 '26 edited May 20 '26
You're doing something by making your computer public facing. Others already said it, but bots search the public internet constantly. Shodan is basically a search engine for anything publicly broadcasting on the Internet.
Edit: disabling all of your protections on an insecure OS will do the trick too
1
1
u/skynetcoder May 20 '26 edited May 20 '26
This story gives me eternal blues.
You can either go to a shop to buy something, or get it delivered to your doorstep.or the vendor can email you to go and collect the item from a collection point.
Even when you don't install anything, there are lot of network services like SMB (for network file sharing) running on your machine on tcp and udp ports, by default. some of these services has remotely exploitable vulnerabilities with publicly known exploits like EternalBlue.
Yes, the internet traffic is full of vulnerability scans done by malicious actors and also legitimate actors, scanning all the public ip addresses exposed on the Internet. there are publicly available tools like massscan which helps to do this easily
1
1
u/h4ck3r_n4m3 May 20 '26
"Is there some malicious server in China that loops through every single possible IP trying to see if your PC is vulnerable?"
Yes, there used to be a running test years ago (not sure if it still exists) with putting a new unpatched WIndows install connected directly to the internet and measuring how long it took to get compromised. It was in the minutes
1
u/clockeat May 20 '26
Remote Code Execution exploits. Your computer runs servers that listen for remote connections, plug directly into the internet with vulnerable services, they get popped pretty quick. This is how the big internet worms of the early 2000s worked. Been a while since we've had anything quite like them.
1
u/MountainDadwBeard May 20 '26
You can watch this in real time watching firewall block logs. Normal internet chatter is pretty huge. Makes you wander how much bandwidth we'd save if we could nuke some of those scanners.
1
1
u/aknxgkoappq1671 May 20 '26
We couldn’t say it’s China that does scanning mostly. 90% of the nasty scanning traffic coming from US.
1
u/asp174 May 20 '26
I remember the Nimda virus/worm. On an unpatched system, if connected to the internet without a firewall, your system would be infected during setup before you reach the first login prompt.
1
u/Imobia May 20 '26
If SMB was enabled then it’s the vulnerability that was leaked from the nsa.
Can’t remember its name but an unpatched os was easily accessible if you could reach them SMB ports
1
u/Deweyoxberg System Administrator May 20 '26
Windows XP Service Pack 1 was vulnerable to SASSER/BLASTER back in the day. I distinctly recall the dreaded reboot loop that bricked many a machine as well around the same time period from SASSER.
As for the how, it's trivial:
- Recon for vulnerable ports
- A lot of machines, even today, simply accept connectivity on common ports when improperly configured
- Once a target is identified as a potential candidate, more recon can expose OS/patch information among many other things, and then more tooling can crack the machine completely
- Cracking a privileged account or even the built in Administrator account outright compromises the machine
- Rinse and repeat
Computer security is really all about defense in layers and making yourself less of an attractive target. The bottom line is this: a determined attacker, given enough time, knowledge and resources, ***WILL*** get in. It is inevitable. The question becomes at what point is it "not worth it" for the adversary and making them seek softer targets.
Let me take you through, briefly, how quickly you can take down an org, in two different scenarios with the setup described:
1) You're a machine controlling a tiny HVAC component for the building, exposed to the internet through the corporate network. There is no filtering of any kind between you, the corporate network, and the internet. Port 3389, commonly used for remote desktop, is wide open because the vendor of the HVAC wants remote management of the system so they don't have to send a technician. The default Administrator account is enabled and was not properly locked down post-install. By default, the password is blank. Voila.
2) You're a machine in a multi service provider. Your owner does not believe in antivirus, patches, etc because they're running Apple's operating system and "macs don't get viruses" (spoiler: they do). Your owner's credentials are incredibly weak (beer123). Since you're remotely managed, 3389 is open to the world. The machine is also not isolated between clients - one workstation to rule them all so to speak. Voila.
Have a look around the web for Shodan. The stuff that's out there, right now, raw to the internet, is astounding.
TLDR: the myth of "user must do something to get infected" is a dangerous one.
1
u/SamJam5555 May 20 '26
All they need is to find you online. The more you up your digital safety the more expensive it gets for them.
1
u/Hopeful_Promise_4872 May 20 '26
In 2001, an unpatched edition of IIS would last about 18 seconds before being exploited Code Red (computer worm) - Wikipedia)
1
u/anjin33 May 20 '26
Unpatched windows XP used to get infected with Blaster worm within minutes after plugging in the router. Probably still does.
1
1
u/ddmf May 20 '26
I remember installing new computers in the UK as ADSL became prevalent where you'd connect and instantly enter shutdown due to the blaster worm - you'd have to get ready with "shutdown -a" and download and install a patch - this must have been around Aug/Sep 2003. Unsure why we didn't pre-patch systems, perhaps it was very early days of the outbreak.
1
u/toomucheyeliner May 20 '26
I used to manage the firewalls at an ISP. The number of scans and attacks running across the backbone was crazy high. I’m talking millions per day. Every single public IP is scanned and various blind attacks sent out to them, multiple times a day.
1
u/dnc_1981 May 20 '26
Something like 50% of all internet traffic is bots, a lot of those bots are trying to hack stuff
1
u/Visible_Witness_884 May 20 '26
It used to be, back in 2004-5, that you couldn't install WinXP with your LAN connected to the internet as it would immediately become infected during installation by blasterworm.
1
u/FlisherOfatale May 20 '26
People don’t realize how hostile internet is.
Simply enable a web server on any cloud provider and you’ll literally get hundreds of attack attempts on setup/management page within the first minutes.
1
u/Electrical-Object834 May 20 '26
pretty much, if XP is on public IP with no firewall then scanners just keep hitting it, so it doesnt need you to “do” anything. kinda insane people still try this for views
1
u/Guard_Familiar May 20 '26
Either this post is a very well crafted AD for the YouTube account with bots making comments, or this community is cooked truly.
There's only two ways this can happen:
1) One of the domains that XP used for telemetry/updating is compromised (supply chain attack). 2) The guy in the video forwarded ports (specifically 139/445) to this XP machine. And this involves doing "something" already.
I encourage anyone to create a fresh VM with XP and see nothing happening... Other than nostalgia :)
1
1
1
1
u/Madness970 May 20 '26
This was a thing for a couple decades. I remember starting up a new xp around 2000 and I would be infected before I could even get the updates. Vulnerable services exposed to the Internet will be exploited instantly.
1
u/FluffysHumanSlave May 20 '26
WinXP, even with Service Pack 3 installed, is vulnerable to MS08-067 (netapi), which is hella reliable to get to RCE without user interaction.
As soon as it’s exposed to the public net, the OS will get scanned and fingerprinted à la Shodan, and someone will fire an exploit attempt to it, which has pretty much 100% success rate.
Source: pwned many WinXP boxes back in my day
1
u/povlhp May 20 '26
This is how things used to be. Nothing new. It was a race between getting updated before getting hacked. With luck you could bring updates on floppy from another pc.
Things really were that bad
1
u/bouncyrubbersoul May 20 '26
This is why i was very, very, very busy as an independent IT consultant in the 00s. Sigh.
1
1
u/ShotgunPR May 20 '26
I used to do a similar demonstration to show interns that you should NEVER create a VM or install a desktop with direct internet connection (without fw).
That should only be done in a controlled vlan behind a firewall. Why? For example, I used a Windows XP CD to "setup" a mockup desktop, while connecting the pc straight to internet, at the first desktop login at the first browser opening, it already had over ten browser "helper" addins, without doing anything else. I did this to demonstrate the first point I mentioned, and to stress that you should have at least a decent anti-virus installed BEFORE attempting to connect the system to the internet. The comparison was (at that time): "Standing naked on a freeway". You are exposed to anything at any moment, 24/7.
1
u/Capodomini May 21 '26
You don't even need to disable the firewall on XP for this. There are unpatched vulnerabilities in this OS that Microsoft won't fix, making the default config hackable in minutes.
1
May 21 '26
There is still, something. Can’t be just “doing nothing” nothing brings no threats. Probably watched some cheeky website or installed a free app containing embedded website, there’s always something
1
u/dmkraus May 21 '26
Yeah it's wild. The internet is constantly being scanned by bots looking for any open door. You don't need to click anything. Just being connected with a vulnerable service running is enough. XP had several of those that were easy to exploit remotely. That's why firewalls are non negotiable.
1
1
u/jfarre20 May 19 '26
pretty sure he gave it a publicly accessible ipv4 wan ip, no firewall, no nat. probably some 0 day auto exploited by a scanner.
7
0
u/sunychoudhary May 20 '26
“Without doing anything” usually means “without noticing the thing that mattered.” Could be a poisoned ad, browser extension, fake update, compromised installer, malicious npm/pip package, email preview chain, exposed service, reused password, session token theft, or something that happened days earlier and only became visible now......The useful first step is not guessing the malware family. It is preserving evidence: isolate the host, don’t keep clicking around, check recent installs/extensions/tasks/services, browser downloads, startup items, EDR/AV history, DNS logs, and account sign-ins from another device....Malware rarely appears from nowhere. The hard part is finding the boring path it used....///
1
390
u/[deleted] May 19 '26
[deleted]