terminal server security - looks like hackers

Looking at my router/firewall I can see a couple different IPs trying the RDP port 3389. I have this port open to allow project managers to work. They do not use a vpn but have the rdp user/password login.

As an example I have this ip trying to look into the port 3389 about 100 times every 3 minutes. 211.44.250.196. When I look at TS event viewer I cannot see anyone trying to login.

I suppose this is a 2 part question.
a) what do you think this ip is trying to do ?...if I can't even see it trying to login.
b) is there any threat here and should I be doing something else?

any advice would be helpful.
LVL 1
ShawnAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sajid Shaik MSr. System AdminCommented:
about the event viever the the security settings will display the log in information... even thoug for the RDP session ...

releated to port monitoring ... try to monitor the ort by changing port.... from registry...

"You can also change the port used."

"That would be a firewall setting...still isnt an RDP setting."

Actually, unless you remap the port on the firewall (forward traffic on randomport# to 3389 on target RDP machine), you would also need to change a registry value on the machine you're RDPing to in order to change the listening port for RDP. While firewalls would be involved, changing the listening port for RDP is a registry edit.

http://support.microsoft.com/kb/306759

Changing the listening port number in this scenario would be a very good idea.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ShawnAuthor Commented:
shaiksaj. As I mentioned though I can see the IPs through the firewall being forwarded to rdp I cannot see any activity in the event viewer...including of course the security

changing the port sin't an option in my case.

still haven't really addressed the quesiton
0
James HIT DirectorCommented:
IP is Korean

http://www.dshield.org/ipinfo.html?ip=211.44.250.196&update=yes

Depending on your equipment (router/firewall), you can block this IP and prevent any further attempts.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.