Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Weird, concerning "established" connections on RDP port to Russia
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Weird, concerning "established" connections on RDP port to Russia

First of all, what the actual fuck

intro out of the way, i was building an app for my windows 2022 server hosted in the cloud by a hosting company.
The app is basically a monitoring tool that allows me to check if someone connects/disconnects to my server. it tracks the connection to RDP using following command netstat -n | findstr ':3389' | findstr 'ESTABLISHED'
the command is substituted with something else but whatever.
here is the output of this command:

  TCP    my_server_ip:3389    195.226.194.30:7927    ESTABLISHED
  TCP    my_server_ip:3389    195.226.194.32:1775    ESTABLISHED
  TCP    my_server_ip:3389    195.226.194.34:42754   ESTABLISHED
  TCP    my_server_ip:3389    195.226.194.34:45024   ESTABLISHED
  TCP    my_server_ip:3389    195.226.194.34:45492   ESTABLISHED
  TCP    my_server_ip:3389    195.226.194.35:28821   ESTABLISHED
  TCP    my_server_ip:3389    195.226.194.61:34326   ESTABLISHED
  TCP    my_server_ip:3389    195.226.194.62:54148   ESTABLISHED
  TCP    my_server_ip:3389    195.226.194.65:29606   ESTABLISHED
  TCP    my_server_ip:3389    195.226.194.65:31206   ESTABLISHED
  TCP    my_server_ip:3389    195.226.194.68:13096   ESTABLISHED
  TCP    my_server_ip:3389    my_pc_ip:49337  ESTABLISHED

so what is 195.226.194.* ?
it says established connection :confused:
if I close my connection and rerun the command, my connection is gone but the other connections are still present? what the...

so I tried changing password and rebooting, connections still there.
I also did some digging and got this:

Im a bit terrified considering the server has a lot of documents, password manager etc. the password is long and files are partially encrypted/require password to open. but if someone is looking at my screen 24/7 that does not help at all.

Did the hosting company give me shit image? what is actually going on.

for reference, i tried that command on my windows 10 pc and the output is nothing or 1 connection as expected...

Please help !

Comments

  • DPDP Administrator, The Domain Guy
    edited March 2023

    Established just means it’s connected, not logged in.

    quser will tell you who’s actually logged on.

    Just change the port and/or setup allowed IPs.

  • @DP said: quser will tell you who’s actually logged on.

    sure, but it does not tell me the IP
    now another question, can i kill the connection without logging the user out?

    @DP said: Established just means it’s connected, not logged in.

    so i shouldn't worry, it's just some kiddy trying passwords?

  • rskrsk Member, Patron Provider

    @DeadlyChemist said: so i shouldn't worry, it's just some kiddy trying passwords?

    >

    Even if its a kiddy trying passwords out, my advice is to always limit it to the outside world. like @DP said, either change the RDP port and/or setup allowed IPs, especially since you are saying that the server has some sensitive content on it.

  • @rsk said:

    @DeadlyChemist said: so i shouldn't worry, it's just some kiddy trying passwords?

    >

    Even if its a kiddy trying passwords out, my advice is to always limit it to the outside world. like @DP said, either change the RDP port and/or setup allowed IPs, especially since you are saying that the server has some sensitive content on it.

    hm, i'd go with whitelist but not sure how to make the whitelist update in windows defender. since my ip's change, work, school, phone, etc might look into it

    is there a good way to check which ip is logged in?
    that would help me more to be honest

  • FatGrizzlyFatGrizzly Member, Host Rep

    @DeadlyChemist said:

    @rsk said:

    @DeadlyChemist said: so i shouldn't worry, it's just some kiddy trying passwords?

    >

    Even if its a kiddy trying passwords out, my advice is to always limit it to the outside world. like @DP said, either change the RDP port and/or setup allowed IPs, especially since you are saying that the server has some sensitive content on it.

    hm, i'd go with whitelist but not sure how to make the whitelist update in windows defender. since my ip's change, work, school, phone, etc might look into it

    is there a good way to check which ip is logged in?
    that would help me more to be honest

    why not restrict that port to your country only? I don't know if thats a thing in win servers. I used to use CSF to restrict ports to my country ip addresses.

  • not sure what's that

    @FatGrizzly said: why not restrict that port to your country only?

    if the windows doc would be less shit i could just make a list of ip's thats dynamically updated or something
    not sure, but i do want some 2fa (hidden is fine) way to log in

  • FatGrizzlyFatGrizzly Member, Host Rep

    @DeadlyChemist said:

    not sure what's that

    @FatGrizzly said: why not restrict that port to your country only?

    if the windows doc would be less shit i could just make a list of ip's thats dynamically updated or something
    not sure, but i do want some 2fa (hidden is fine) way to log in

    configserver firewall = csf.

    idk bout windows honestly, try looking for any powershell scripts online

Sign In or Register to comment.