Solved

terminal server security - looks like hackers

Posted on 2011-09-26
3
234 Views
Last Modified: 2012-05-12
Looking at my router/firewall I can see a couple different IPs trying the RDP port 3389. I have this port open to allow project managers to work. They do not use a vpn but have the rdp user/password login.

As an example I have this ip trying to look into the port 3389 about 100 times every 3 minutes. 211.44.250.196. When I look at TS event viewer I cannot see anyone trying to login.

I suppose this is a 2 part question.
a) what do you think this ip is trying to do ?...if I can't even see it trying to login.
b) is there any threat here and should I be doing something else?

any advice would be helpful.
0
Comment
Question by:Shawn
3 Comments
 
LVL 16

Accepted Solution

by:
Shaik M. Sajid earned 500 total points
ID: 36707584
about the event viever the the security settings will display the log in information... even thoug for the RDP session ...

releated to port monitoring ... try to monitor the ort by changing port.... from registry...

"You can also change the port used."

"That would be a firewall setting...still isnt an RDP setting."

Actually, unless you remap the port on the firewall (forward traffic on randomport# to 3389 on target RDP machine), you would also need to change a registry value on the machine you're RDPing to in order to change the listening port for RDP. While firewalls would be involved, changing the listening port for RDP is a registry edit.

http://support.microsoft.com/kb/306759

Changing the listening port number in this scenario would be a very good idea.
0
 
LVL 1

Author Comment

by:Shawn
ID: 36712489
shaiksaj. As I mentioned though I can see the IPs through the firewall being forwarded to rdp I cannot see any activity in the event viewer...including of course the security

changing the port sin't an option in my case.

still haven't really addressed the quesiton
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 36712524
IP is Korean

http://www.dshield.org/ipinfo.html?ip=211.44.250.196&update=yes

Depending on your equipment (router/firewall), you can block this IP and prevent any further attempts.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question