Is someone trying to access my computer?

GregI

GregI

GregI

Associate
Joined
10 Dec 2007
Posts
1,822
Over the past two days I have noticed weird activity that is being blocked by Malware Bytes. Always on port 3389 which seems to be for remote desktop? It is only one instance and not repeated blocking.

The first from the protection log yesterday is...

IP-BLOCK 60.172.228.20 (Type: incoming, Port: 3389)

Then today...

IP-BLOCK 218.10.18.28 (Type: incoming, Port: 3389)

I am seriously considering a change of ISP and a complete reformat of my PC to be sure nothing happens.
 
Last edited:
MalwareBytes is blocking it? Why isn't a proper firewall blocking it?

Also, have you port forwarded port 3389? Your router should be hard blocking it no?

And yes. Port 3389 is default listen port for Remote Desktop Protocol. It's definate someone is trying to access RDP on your computer.

A reformat may be overkill though. Restarting your modem will probably assign you a new WAN IP address depending on your ISP.
 
If you leave 3389 open to the internet then it will be scanned and they will attempt to access it. Don't leave it open to the internet. Nothing else required.
 
Login to the router, change your port forward of 3389 -> 3389 -> Local IP address.

You want the external port to be something different, for example, 4000 mapping to 3389 of your local IP address. It's pretty terrible practise for forward the default port of something so important.

If you don't have a port forward enabled on your router, are you directly connected to the internet with the public IP? Again, being behind NAT these days is the safest way to go.

If you're behind a router but, no ports being mapped to your local IP address, then something on your machine might be setting it via uPNP, you could disable this on the router and get scanning your machine for viruses or malware.
 
ots3go said:
You want the external port to be something different, for example, 4000 mapping to 3389 of your local IP address. It's pretty terrible practise for forward the default port of something so important.

If you don't have a port forward enabled on your router, are you directly connected to the internet with the public IP? Again, being behind NAT these days is the safest way to go.
Click to expand...

Forwarding *any* port to a service which allows remote login from the internet without restriction is terrible practice. Changing the port to something else is merely security by obscurity and is a poor solution.

NAT is not security, that's not it's purpose and NAT will die and/or move beyond your control with time. Don't use it as security, use a firewall, that's what a firewall is for...
 
bigredshark said:
Forwarding *any* port to a service which allows remote login from the internet without restriction is terrible practice. Changing the port to something else is merely security by obscurity and is a poor solution.

NAT is not security, that's not it's purpose and NAT will die and/or move beyond your control with time. Don't use it as security, use a firewall, that's what a firewall is for...
Click to expand...

I concur with your first point, but it would be a start.

NAT is actually very strong security as no internal network activity can be triggered from the outside.

Why do you think IPv6 is adopting it?
 
If you dont use remote desktop, then there is no need to have the port open. Otherwise, make sure to have a decent firewall to restrict what IP is allowed over the port (We use ESET SmartSecurity to allow a specific IP, if we ever need to open the port).

If you dont like being port scanned on that port, then use another solution such as teamviewer or logmein etc.
 
ots3go said:
I concur with your first point, but it would be a start.

NAT is actually very strong security as no internal network activity can be triggered from the outside.

Why do you think IPv6 is adopting it?
Click to expand...

IPv6 isn't adopting, people who can't understand IPv6 are attempting to adopt it instead of actually getting a clue. It was never designed as a security mechanism, is a poor one as it's not stateful (so actually, an intelligently crafted attack can trigger internal network activity). NAT is not, never has been and never will be a good security measure.
 
bigredshark said:
IPv6 isn't adopting, people who can't understand IPv6 are attempting to adopt it instead of actually getting a clue. It was never designed as a security mechanism, is a poor one as it's not stateful (so actually, an intelligently crafted attack can trigger internal network activity). NAT is not, never has been and never will be a good security measure.
Click to expand...

RFC 4193 begs to differ, it's already been adopted by IPv6.

Anywho, shall stop de-railing now. :p.
 
Remove port forward or start using a router if the modem is connected to your PC.

Use Hamachi VPN for remote access, if you need it.
 
Ah yes I should have explained what I actually have.

Behind a basic Netgear router with NAT. I have not port forwarded anything besides a different port for an application I use. I have both Malware Bytes and ESET Smart Security 5 installed.
 
GregI said:
Ah yes I should have explained what I actually have.

Behind a basic Netgear router with NAT. I have not port forwarded anything besides a different port for an application I use. I have both Malware Bytes and ESET Smart Security 5 installed.
Click to expand...

With that in mind, then there is nothing to worry about, as you dont forward any ports in question. :)
 
I was under the impression that some "talented" people could simply attack any system if they have the determination to. It can't be as simple as not forwarding ports means you are safe.
 
GregI said:
I was under the impression that some "talented" people could simply attack any system if they have the determination to. It can't be as simple as not forwarding ports means you are safe.
Click to expand...

The router will stop all direct connections from the Internet if you don't have any forwarding rules in place. Determined individuals will probably send you a malicious email attachment or get you to visit a malicious site.

Do you have Windows Firewall enabled?
 
GregI said:
Yes. Is it ok to run ESET's and Windows firewall at the same time?
Click to expand...

You might have an issue running multiple firewalls, you'll just have to see how it goes. The main thing is that incoming traffic is blocked by a firewall.
 
You must log in or register to reply here.
Back
Top Bottom