TermDD - Error 50

windows-server-2008 rdp
8,211

With only port 80 exposed to the 'net it's not likely that these are actual connection attempts against the RDP server. I'd try and find some correlation between your authorized RDP connection attempts. Presumably you're connecting to a back-end LAN or VPN from which RDP is allowed, so you should also be sure that there aren't unauthorized parties there attempting to make RDP connection attempts to the server computers.

If you don't make any headway with those suggestions, sniff the traffic on the box for a day w/ a capture filter set to only record RDP traffic and see what you can find and correlate to event log entries.

Share:
8,211

Related videos on Youtube

Jack
Author by

Jack

Updated on September 17, 2022

Comments

  • Jack
    Jack over 1 year

    I am getting the following error in the Event Log of a machine running Server 2008 R2:

    "The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client."

    Source: TermDD Event ID: 50

    I get about 5 of these per 24 hour period.

    The machine is a web server. It is exposed to the outside world, but only port 80 is open to it.

    I have some concern that this is the result of attempts at hacking the machine via Remote Desktop, but I can't fathom how that'd be possible with only port 80 open.

    And additional reason I'm concerned about malicious intent, is that I had the site hosted on a different 2008 R2 machine, it showed these log events. Then I changed the IP forwarding rules in my router, sent external traffic to the new machine, and it began showing the log events.

    There's no problem with Remote Desktop, it works normally, and is actually how I interact with these machines, there are no disconnections going on.

    Any suggestions as to what might be going on?

  • Jack
    Jack over 13 years
    I am the only person using RDP, and I typically leave the Remote Desktop window open to the machine all the time on my workstation. I tried closing it and leaving it off for a day, but the events still showed up. I do like your idea about watching the packets for a day, though. I already have Wireshark on the machine, so I will give that a shot.
  • Jack
    Jack over 13 years
    I let Wireshark run for a time, and it turns out South Koreans were trying to RDP into my server. This is possible because the garbage router that Comcast gave me was allowing all ports through, despite having a rule to only do 80.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows Server 2008 R2 random black screen on rdp and console
RDP prompting for user/password with saved credentials
Bypassing GPO for "set time limit for disconnected sessions"
Windows Server 2008 r2: Updating RDP 6.1 to 7.1
Can't log anymore with RDP on my server after adding it in my domain
Auto Enroll all servers for RDP certificate
Troubleshoot large number of TCP retransmits / dup ack / segment lost
Remote Desktop Software with low latency
Can I disable sticky keys through a Group Policy for all users?
Unknown and strange RDP successful logins in EventViewer