Super annoying hacker trying to remote into our server all the time
Posted on 2012-03-12
Someone is continuously trying to log in to our computer remotely. We've changed our ip several times and then it will stop for a time, and then start up again at some random point in the future. I know this because if you open up the Terminal Services Manager and just leave it open you can see that it'll come up and say RDP-Tcp#7221 for example, and the processes will just show the winlogin. Then a second or two later, they'll drop out, and a new connection will be opened with the number incremented to like #7222 for example, and they'll try again. And this goes on and on. Then there are periods where nothing happens for awhile and then at some point they start trying to log in again.
I think they might be coming from different IPs too, because when I block the address I think it's coming in from on the router (I may not be doing this right though) suddenly a new address pops up originating in Mexico or something and then they come in from that IP instead. So I don't think blocking the IP is the answer..
What I think is happening is they just keep trying different user names and passwords, and their goal is to eventually get administrative access into our system so they can try to steal our files and sensitive stuff.
What can I do to stop these people for good? What steps can I take to determine who they are and where they're coming from?