dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
439
bobinny
join:2014-08-03
usa

bobinny

Member

I think my remote access is being attacked

Click for full size
Click for full size
The other day I walked up to my computer and it appeared to be very sluggish. I clicked on task manager and there were numerous instances of winlogon running. The network was running at about 500k.

See attached screen prints.
I think that someone was trying to hack in via remote access.

I pulled the ethernet plug and everything stopped.

I have to run remote logon, but I have disabled it for right now. I have a pretty good 12 digit password, upper and lower case plus numerical symbols etc.

I am not a security expert, but do you guys out there thing that I was a recipient of a password attack?

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

Welcome to the forum!

I'm not sure what happened but why not just lock down remote access?
Restricting access to specific IP's is effective.

Take a look at the suggestions here
»www.wikihow.com/Secure-a ··· -Desktop

One item the link doesn't mention is simply changing the port RDP listens on from 3389 to anything else out of the range to prevent auto scanners from including your IP in their 'hit list'.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to bobinny

MVM

to bobinny
said by bobinny:

I have to run remote logon

Not enough information to say one way or another.

What port(s) does this remote logon run on?

Are the associated port(s) for remote logon ONLY visible from your LAN, or do you have them
port-forwarded on your edge device to your ISP?

Do you have any traffic log(s) from your remote logon software for review? If so, do they
show anything?

Do you have any traffic log(s) from your edge device?

Did you take a look at your Windows logs? Do you have any sort of Windows logs for review?

If you don't have any of the above, I'd go set them up and start logging them somewhere so
if this does happen next time, they can be immediately pulled for review.

My 00000010bits

Regards

MacGyver

join:2001-10-14
Vancouver, BC
·TELUS
Actiontec T3200M
Arcadyan WE410443-TS
Sipura SPA-2102

MacGyver to Snowy

to Snowy
If you have a port open for RDP, you'd be insane to allow traffic from anywhere on the net to access it. I have had my RDP connection on a non-standard port identified by hackers and they pounded away at it for a while before I set a rule to only allow my work IP access. I found the entries in my Windows Event Viewer. They weren't going to get very far anyway, as I rename the Administrator account to something else on all my machines.