Solved

terminal server security - looks like hackers

Posted on 2011-09-26
3
233 Views
Last Modified: 2012-05-12
Looking at my router/firewall I can see a couple different IPs trying the RDP port 3389. I have this port open to allow project managers to work. They do not use a vpn but have the rdp user/password login.

As an example I have this ip trying to look into the port 3389 about 100 times every 3 minutes. 211.44.250.196. When I look at TS event viewer I cannot see anyone trying to login.

I suppose this is a 2 part question.
a) what do you think this ip is trying to do ?...if I can't even see it trying to login.
b) is there any threat here and should I be doing something else?

any advice would be helpful.
0
Comment
Question by:Shawn
3 Comments
 
LVL 16

Accepted Solution

by:
Shaik M. Sajid earned 500 total points
ID: 36707584
about the event viever the the security settings will display the log in information... even thoug for the RDP session ...

releated to port monitoring ... try to monitor the ort by changing port.... from registry...

"You can also change the port used."

"That would be a firewall setting...still isnt an RDP setting."

Actually, unless you remap the port on the firewall (forward traffic on randomport# to 3389 on target RDP machine), you would also need to change a registry value on the machine you're RDPing to in order to change the listening port for RDP. While firewalls would be involved, changing the listening port for RDP is a registry edit.

http://support.microsoft.com/kb/306759

Changing the listening port number in this scenario would be a very good idea.
0
 
LVL 1

Author Comment

by:Shawn
ID: 36712489
shaiksaj. As I mentioned though I can see the IPs through the firewall being forwarded to rdp I cannot see any activity in the event viewer...including of course the security

changing the port sin't an option in my case.

still haven't really addressed the quesiton
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 36712524
IP is Korean

http://www.dshield.org/ipinfo.html?ip=211.44.250.196&update=yes

Depending on your equipment (router/firewall), you can block this IP and prevent any further attempts.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question