Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RDP-Tcp connections popping up & then disappearing immediately in TSM

Status
Not open for further replies.

mdcr1

IS-IT--Management
Dec 3, 2009
20
US
In terminal services manager on a Windows 2003 server, it shows the normal few remote connections that we have that show up with a state of "Active", plus a standard RDP-Tcp (listener) entry for one connection showing a state of "Listen". This morning, when I connected, it showed one additional session/connection that would pop up with a state of "Active", then "Down", then disappear. It had a number of, for example, #9023, then when it would pop up again for 2 seconds, the number would be #9024, and it would disappear again. A second later, a session would open up again with the number of #9025, and disappear. Has anyone had any kind of experience like this? It looks like an external connection that opens a session, then closes it immediately after, and it continues for minutes at a time. This morning, it did that for at least 10 minutes, then it stopped for no apparent reason...I thought immediately that it was someone/something trying to get into our network, but it also didn't show a client name where normal connections identify the device trying to connect. Any thoughts? Thanks in advance!
 
This sounds like some sort of 'script kiddie' scan that is probing for connections. These kinds of things are normal for SSH servers, of which Terminal Services is closely related. I am not sure why they try opening and closing several connections, unless it is an attempt to either gain version or performance information.
 
If you look in the server's security log you should see entries for the dropped/connected session. IIRC, it should show the IP address and/or machine name that was trying to connect.

Sorry, it's been a while since I had to look and I don't have a TS available at the moment.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.
 
Have you had any luck figuring out what was causing this? I logged into my server this morning to find similar activity occurring. Immediately my first thought was that someone was trying to gain access to our terminal server but I am not sure how to diagnose. Any help would be appreciated.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top