Setup Home PC to be a remote desktop over the internet and now Polish IPs are creating lots of network traffic on port 3389.

Last week I wanted to work remote and tried to enable RDP to reach my home computer from my girlfriends house. I even bought a domain name so that I could utilize DDNS and remote in with just my name.

Today I was fooling around with netstat and discovered about a dozen established connections to a foreign IP address I don't recognize going out on my port 3389. So I searched it up and it's registered to a Polish man, and has recently been reported hundreds of times on AbuseIPDB.com.

I then saw a good tip online to check the process ID and find it in task manager...and it's svchost.exe with the username as NETWORK.

Before I disabled the port forwarding on my router I captured some of the TCP stream which confirms that he's establishing connection with my computer as the server. However, I'm not well versed at deciphering what Wireshark is telling me beyond this. There's key exchanges, client and server 'hello' messages, "encrypted alerts", and application data.

If I'm seeing this correctly, the connection hops to different ports which seems really bad. I can see in Wireshark that my computer sent a packet with the info "3389 -> 44592 [SYN, ACK]".

​

Here's hoping there are some Wireshark experts here that can help me figure out what the hell is going on. Thanks in advance everyone.

(I haven't posted anything like screenshots/IPs/names/etc because I want to make sure I'm not breaking the personal data sharing rules)

submitted by /u/aventador75
[link] [comments]

from hacking: security in practice https://ift.tt/3I9H7oI