Link to home
Start Free TrialLog in
Avatar of Craig LaDuke
Craig LaDukeFlag for United States of America

asked on

Unwanted TCP Connections

I have an event where my server accepted a new TCP Connection from client through RemoteDesktopServices-RdpCoreTS/Operational. This seems like a hacker. Can anyone help me stop this connection?
Avatar of John
John
Flag of Canada image

Install Wire Shark or Comm View (Tamsoft) on your server and examine the packets. Look for the connections (IP addresses) that are concerning to you. That is how to understand this issue.
Avatar of Craig LaDuke

ASKER

I can see the IP address. I searched it and it is coming from Canada and Brazil.
Use whois.com to look up the IP address and associate it with the IP owner. There could be any number of reasons for this situation,  so you need to look up some owner / company information.
I am able to see some info on this page but not 100% sure what I'm looking at. Looks like I can see who is providing the IP address but not sure what else I'm looking at. I rebooted my system this morning and there are a lot more tcp connections that I don't recognize.
Whois should provide the owner of the IP and contact information as part of its output.

Post an IP here and let's look at it.
54.39.67.108:52907
12.228.172.98:20641
74.78.247.57
74.78.247.57  is Time Warner  - Is that your ISP?

74.64.0.0 - 74.79.255.255

Time Warner Cable Internet LLC
6399 S Fiddlers Green Circle
Greenwood Village
CO
80111
United States

IPAddressing
+1-314-288-3111
ipaddressing@chartercom.com

+1-703-345-3416
abuse@rr.com


54.39.67.18  Looks like a software company or like.

54.39.67.16 - 54.39.67.19

Processia Solutions
3131 Blv. Saint Martin O. Suite 400
Laval
QC
H7T 2Z5
Canada

NOC
+1-855-684-5463
noc@ovh.net

+1-855-684-5463
abuse@ovh.ca

=================

Are these knocking on your firewall / router or connecting directly in (the first IP on port number 52907)
Looks to me like they are connecting. When I look at my events page it shows "The server accepted a new TCP connection from client 81.223.20.233:31699".
This is a new connection that was just established but the other IP address said the same thing.
You need to look at who they are and then block them in your Firewall
Also check for viruses on your server to see if that is the cause
I have never blocked an IP address in my firewall. Can you explain that process please.
I will do some looking. I am traveling and will look in later
Thank you I will do some more research myself
Avatar of Shaun Vermaak
Seems that you have RDP exposed to the internet. Far better to use a VPN instead.

Either close the port (default 3389) with a Firewall or disable RDP completely.
You can block it via network firewall or Windows firewall. You can even block it selectively to specific IP addresses etc.
User generated image
At the very least, use RDPGuard
In addition to the above, you (a) need to check for viruses and (b) isolate your server as noted above.

Here is an article to block IP addresses in Windows Firewall (multiple OS)

https://superuser.com/questions/1159401/using-windows-firewall-to-block-a-specific-ip-on-windows-10
As I go through the event viewer I have noticed that these ip addresses are getting connected and disconnecting within a few seconds due to wrong username and password. I am trying to set up a remote connection for published apps is the only reason I have it turned on. I am able to run my remote apps locally but not externally. I'm sure I compromised some things while trying to make this happen
If you are using your server to browse, do things and connect like a regular user, that could happen so use a workstation for such activity
Well obviously someone is doing a brute force and after a successful account breach the ransomware starts. Disable RDP/RemoteApps or set windows firewall to local subnets
Depending on the size of your network and assuming you can afford it, a firewall appliance might be worth considering

SonicWALL, Fortinet and Sophos all have good products, though personally I prefer SonicWall
This morning I was looking through my event viewer and seen this on one of my events:
The following network characteristics have been detected for tunnel 8;Link latency : 0 milliseconds and Bandwidth: 92390
Since this started I'm getting no IP address hits on RDPGuard. Looks very fishy
Can you block the IP addresses in your Firewall?   OR,  Install a good firewall in front (as suggested above) to block these attempts.
I turned off Remote Desktop on my server and stopped everything that was going on. I am still able to access my web server externally but still having problems with accessing my gateway server externally. That's a different conversation. Thanks to all for your input!!!!!
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.