Solved

terminal server security - looks like hackers

Posted on 2011-09-26
3
231 Views
Last Modified: 2012-05-12
Looking at my router/firewall I can see a couple different IPs trying the RDP port 3389. I have this port open to allow project managers to work. They do not use a vpn but have the rdp user/password login.

As an example I have this ip trying to look into the port 3389 about 100 times every 3 minutes. 211.44.250.196. When I look at TS event viewer I cannot see anyone trying to login.

I suppose this is a 2 part question.
a) what do you think this ip is trying to do ?...if I can't even see it trying to login.
b) is there any threat here and should I be doing something else?

any advice would be helpful.
0
Comment
Question by:Shawn
3 Comments
 
LVL 16

Accepted Solution

by:
Shaik M. Sajid earned 500 total points
Comment Utility
about the event viever the the security settings will display the log in information... even thoug for the RDP session ...

releated to port monitoring ... try to monitor the ort by changing port.... from registry...

"You can also change the port used."

"That would be a firewall setting...still isnt an RDP setting."

Actually, unless you remap the port on the firewall (forward traffic on randomport# to 3389 on target RDP machine), you would also need to change a registry value on the machine you're RDPing to in order to change the listening port for RDP. While firewalls would be involved, changing the listening port for RDP is a registry edit.

http://support.microsoft.com/kb/306759

Changing the listening port number in this scenario would be a very good idea.
0
 
LVL 1

Author Comment

by:Shawn
Comment Utility
shaiksaj. As I mentioned though I can see the IPs through the firewall being forwarded to rdp I cannot see any activity in the event viewer...including of course the security

changing the port sin't an option in my case.

still haven't really addressed the quesiton
0
 
LVL 17

Expert Comment

by:Spartan_1337
Comment Utility
IP is Korean

http://www.dshield.org/ipinfo.html?ip=211.44.250.196&update=yes

Depending on your equipment (router/firewall), you can block this IP and prevent any further attempts.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now