Unknown and strange RDP successful logins in EventViewer

windows-server-2008 security remote-desktop rdp eventviewer
11,465

Solution 1

Just because no user directory exists does not mean that users do not exist. Check the local user and service accounts in the MMC to validate that they really do not exist.

These symptoms are usually a sign of an RDP worm traversing a network. Also validate that any anti-malware utility you're running is up to date and run a full scan on that machine. If there is an RDP worm and there were successful logins then chances are that you're already infected.

Solution 2

I had exactly similar problem and to reproduce the results all I had to do was connect to remote machine using a rdp client that don't have Network Level Authentication(ubuntu rdp client) and entering an imaginary username. I was presented with a login screen and the event was logged in event viewer as successful authentication of remote desktop. However it was not possible to login using the imaginary account. If it is possible I suggest you turn on network level Authentication for Remote Desktop.

Share:
11,465

Related videos on Youtube

Yousef Salimpour
Author by

Yousef Salimpour

Updated on September 18, 2022

Comments

  • Yousef Salimpour
    Yousef Salimpour over 1 year

    I have a Windows Server 2008 R2 with a valid IP, and recently I've found hundreds of unknown and strange RDP successful logins logged in EventViewer. Here are some details:

    1. They are not similar to normal logins, they happen like every second in a while even when I myself am logged in to the server.
    2. Event reads "Remote Desktop Services: User authentication succeeded" in "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", Event ID 1149
    3. They seem to use some random user accounts without a domain name. I'm pretty sure that I don't have those local user accounts, and the server doesn't belong to any domain. Legitimate RDP logins have a valid user account and workgroup name, but those logins use unknown user names without any workgroup.

    Support staff couldn't help me and I'm very curious what are these strange logins. Are they some sort of brute force attack? so why does it read "Successful"? Am I being hacked? Why do they keep happening continually?

    EDIT: I like to point out again that these accounts DO NOT EXIST on the server. I wonder why should there be a successful RDP login from a user account which does not exist. (e.g. has no user profile folder)

    • Admin
      Admin over 12 years
      I am having the exact same problem. I am sure the logged accounts aren't valid against my local system. I accidentally stumbled on the rdp log and there are no other symptoms my system is compromised. The connection are comming from all over the world: Brazil, USA, UK etc The username that are being used are: test, user, admin, administrator Hopefully someone has some more informations on this
    • Admin
      Admin over 12 years
      I found the same messages today. When checking the Security log it looks like those connections were rejected by the server lateron. It is strange that the RemoteConnectionManager login shows them as success while the audit shows them als failed. Also these connections do not show up in the LocalSessionManager log, that one only shows successful RDP connections (and not the strange ones). Did you ever find out more about this problem?
    • Admin
      Admin over 12 years
      All the Addresses are external, they are from very different IP ranges, as Liam mentioned. I finally blocked all unknown IPs using firewall, but I didn't find out where they came from and why this happened.
  • Yousef Salimpour
    Yousef Salimpour over 12 years
    Well they are not from a single network but from many different IP ranges.
  • Top__Hat
    Top__Hat over 12 years
    There is a semi-recent network worm that attacks through RDP. What are the account names that connect?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Installing Terminal Server (Remote Desktop Services) on a Domain Controller (Active Directory)
Domain User can RDP into Domain Controller?
Remote Desktop Authentication without NTLM - How to Configure from non-Windows clients?
Remote Desktop performance issues in Windows 2008
Does windows Remote Desktop have any protection against brute force attacks?
Filtering Security Logs by User and Logon Type
Are there any RDP activity logs? - Windows Server 2008 R2
Remote desktop session ends abruptly with a "protocol error"
Your system administrator does not allow the use of saved credentials to log on to the remote computer
Safety of RDP without network level authentication