Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RDWeb server getting hit with odd logon requests....

Status
Not open for further replies.

DrB0b

IS-IT--Management
May 19, 2011
1,411
0
36
US
Hello all,
So we have an old 2008 RDWeb machine that is handling our remote sales peoples log on requests for RDWeb. We have it backed up with DUO dual authentication, just an FYI to show that this mildly insecure method is being handled by dual authentication for our protection. They are all able to log in fine and utilize the service and server. I had one user who was having dropped connection issues so I started poking around the server especially in the Event Viewer. I see that all normal calls for logins are handled correctly and show as an Audit Success in the Event Viewer. Although I noticed that there were 100s of rogue log in attempts, almost akin to a brute force attack. I jumped in the firewall and blocked all unknown IP addresses accessing this server and it stopped about 90% of these attempts but there are still some happening, which scares me. That means that these calls have to be either made from the server itself or on the network. I will attach a picture of one such event below to show you what Im talking about.

logonatmpt_w1uekr.jpg


Notice the login account is Admin2, which is not a local account or a domain account and also that there is no network info to tract down where this came from. This happens about once a minute give or take but sometimes with different accounts that also do not exist such as Christine, testsub, SAMANTHA, and other random accounts. Some times under the Workstation Name it will say "workstation". We do not have a PC in AD or otherwise that is called workstation nor do we have any groups with that name.

I am at a total loss as to what to do. I do not see any rogue processes locally. I have disabled all scripts in the Task Scheduler. I do not see any rogue users logged into the server. My next idea is to wait until all remote users are off work and wireshark the machine to see if I can see any logon calls coming into the server. Not sure if that info would be encrypted so I may not be able to see it anyway.......

Any thoughts or suggestions would be helpful.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Best I can tell with Wireshark is that the requests are coming from our Domain Controller. The requests are getting even more diverse in the user names it is calling now.....

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top