Windows Event 56 TermDD. Am I getting hacked?

Posted on 2016-09-01
Last Modified: 2016-09-01
I have a Windows 7 Pro workstation within a domain that is getting a Windows Event 56 TermDD.
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client (IP address).
I just noticed this and I am seeing at least 8 different public IP addresses listed. Am I getting hacked? Remote Desktop is turned on for this machine but port forwarding is not set up for this machine in the firewall.
Is this a false alarm?
Question by:TcAnthony
  • 2
  • 2

Accepted Solution

bas2754 earned 500 total points
ID: 41780723
No, this is not a false alarm.  If you are getting that event in your system from multiple different external IP addresses, then it is a strong probability somehow someone is trying to access your system.

Are you certain your firewall has not been compromised?  You can also turn on your computer's firewall and ensure that you disabled the RDP port in (3389) and ensure that it is not possible to connect to it.  I can't tell you how it is occurring without knowing more about your setup, but if you have an older firewall and you have older firmware on it and have not updated it, or perhaps still have defaults set for usernames and passwords or have one of the many with known vulnerabilities in it, then someone may have compromised it.

How often is this occurring?  I see that this is in a domain.  Is it possible the domain controller is a SBS 2011 or SBS 2008 server that might have Remote Web Workplace setup (acts as a gateway to allow valid users to access their computers using a web login)?  If someone has gotten hold of valid credentials then they may be attempting to RDP via that interface to your system.  

Are other computers getting these errors as well?  If you are not the IT admin, I would advise whoever is that there is a possible issue.  

Bottom line is that until you can explain it, you need to treat it as a threat.  If you want more assistance, post more information and we can help.

Author Comment

ID: 41780729
Yes, this is SBS2011. Nothing is still at default but it looks like I have some work to do. Thanks so much for your quick response. I will tack it down immediately. I very much appreciate your immediate answer!!

Author Closing Comment

ID: 41780732
Expert was amazingly quick and correct. I love Experts-Exchange for this very reason. I cannot do business without them!!

Expert Comment

ID: 41780741
You can go into the SBS Console and disable the Remote Access for each of your systems.  In your company firewall (unless the SBS server is acting as the firewall - hopefully not), you need to block access to the the RDP Port (probably forwarding to that server).

The following will also guide you through disabling RWW:

In all honesty if this is occurring you need to be ready to deal with a possibly breached server and implement whatever Disaster Response / Incident Response Plans you have in place.  In all systems, including the server, you will want to export and save the event logs.  Full Malware and Virus scans need to be done on each system - particularly the server.  Additionally check the security logs on the server if that is how it is occurring and see if you can match up logins to the times on your computer.  RWW does keep a log of users I believe so you can track down the offending one.  Change all passwords immediately, and if possible kill all inbound ports to your server (this WILL impact email, VPN, etc if your server is hosting those services to outside users).

If you are an organization that handles any kind of sensitive customer data (Credit Cards, Emails, Files, Medical Records, Etc...) be ready to potentially have to file a report.  If you have coverage from your insurance company covering Data Breaches, you may want to consider contacting your insurance representative.  Many times they have resources ready to step in and guide the process.  You might also want to consider doing a full image based backup of your server for potential post-incident forensic analysis.

I know it seems overboard, but it is better to be quick on the trigger to stop things than to shrug it off and regret it later.  

Let us know if we can help further.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This is a video describing the growing solar energy use in Utah. This is a topic that greatly interests me and so I decided to produce a video about it.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now