Hello experts - the problem is: the upload side of my internet connection is saturated with unwanted traffic. Using a packet analyzer I see a lot of outbound traffic from port 3389. This traffic is coming from multiple machines on my network, and going to one or two suspicious IP addresses.
The network has 20 PCs, all of them are configured for Microsoft RDP remote desktop access on port 3389. I have a block of public IP addresses, and each one is mapped to a workstation. The machines are Win 7 Pro SP1, all patched up, running MS Security Essentials.
Attached is a Wireshark packet trace Capture-of-suspicious-activity-o.txt
between a machine (192.168.17.40) and an unknown IP address (18.104.22.168). I think I captured the beginning of the conversation. This traffic occurred while the user was logged to the console using their machine. I cannot detect a true Remote Desktop session, but there is a lot of outbound traffic. I had to change the .PCAP file extension to .TXT to upload it.
Please help me with the next step: are there any known exploits running on port 3389?