• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1515
  • Last Modified:

Several Times a day RDP Guard shows multiple login (hundreds) Like Brute Force

I have a customer who runs ( No I didn't set it up ) Windows 7 / Thin stuff and RDP Guard
What is happening is Several Times a day RDP Guard shows multiple login (hundreds) Like Brute Force then RDP guard blocks IP addresses, Many of them being local machines that are not even turned on and at least several times a day it also blocks itself

I went last night to help him and scanned for viruses, Root kits, Malware, SFC, Baseline security scan, and Microsoft security scanner, all came up empty with no issues.
but the attacks continue. I have also checked the local machine for scripts etc.

ran port scans on the firewall found only 2 ports one going to a camera and one to RDP that points to the machine.

In addition I have been told from my friend that even if you remove the network cable  RDP Guard and the Windows Resource Monitor still shows as if attacks are happening RDP guard continues blocking IP addresses, so this is why I have focused on the local machine as an issue or having some sort of bug.

Any suggestions of where I should look next
  • 2
  • 2
2 Solutions
btanExec ConsultantCommented:
I see that RDPGuard (lock out after x (or 3 default) attempts) does not seem to work if the attempts are made with a username which is unknown to the system. Of course there is no harm possible, but they still fill up the security log.

 If I will to change the RDP default (3389) listening port and update the FW and add port suffix on RDP clients, I guess the attempt may disappear or reduced.  Also RDPGuard used the WIndows default FW rule and if we see there are related RDP denial, it may otherwise not be seeing it - we may want to make sure the FW rules is not allowing some local IP address or application unnecessary causing RDP Guard to keep flagging.

Likewise if we check the event log there should be corresponding failed logon attempt (e.g. 4625 id)  if we turn off RDPGuard windows service else I do see possibly of false positive. Strange localhost is the source and suspect there is certain service attempting at that RDP ports persistently using some userid
Tarris89Author Commented:
Changing the port does not do anything because even if you unplug the network it still shows as attacks and blocks IP addresses ( Local and Internet ), so It has to be something running on the machine. The only issue there is all scans come up clean, even checking for boot time scripts etc.

I will keep checking. Also tried to remove RDP guard and do a fresh install of it. but that didn't help.
btanExec ConsultantCommented:
I was thinking if we will to login to safe mode will the login attempt still be as pervasive, will also want to check the startup program. Maybe what we should do is really know what process is behind this ...

e.g. Show if any process is listening on port 1433 (in our case may be the RDP port) for example
c:\temp> netstat -ano | find /I “1433¿ | find /I “LISTEN”
Proto Local Address Foreign Address State PID

e.g. Using tlist or task manager one can find the PID (last column) from the above command to find the process
c:\temp> tlist | find /I “6244¿
6244 sqlservr.exe

e.g. To stop the process, taskkill /PID {process id}
if it works, a message stating “Success:  The process with PID {PID} has been terminated.

Another useful tool is the PSTool suite, just to sieve more thing out

e.g. PsList - list detailed information about processes
e.g. PsService - view and control services
e.g. PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
Tarris89Author Commented:
Although the above solutions did help, the final answer after spending time with some antivirus and malware companies and spending a few hundred dollars they found a bug but could not tell us or help us remove it, We ended up changing ports for RDP and doing a complete reinstall of the system and software.
Problem solved.

Thank you guys
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now