Daily Network Attack

[astronaut954]

Kaspersky have been reporting daily to me some network attacks for maybe more then 1 year. I've tried to reach the community later, but they couldn't solve my problem, so I'm giving it another try. Kaspersky's report says it's a "Bruteforce.Generic.Rdp.d". It is always trying to attack the TCP port 3389, I've blocked it in my firewall so it won't be a threat anymore, yet the report still showing it's attacking the port., as expected the IP never it's the same, so it's something about 20 different IP's daily. So, my questions are: how do I get rid of it? It's something I've downloaded? It's some port I've opened? How dangerous it is?

[Schulte]

Hello astronaut954, welcome to the new forum. I think it's an external attack. TCP port 3389 belongs to Microsoft Remote Desktop Services. This service is vulnerable, it always has new bugs. According to the message, someone is trying to penetrate your system through one of these vulnerabilities, it has nothing to do with software installed on your computer. If you don't need RDP, you can still block the port in the firewall. Unfortunately more is not not possible.

[astronaut954]

Greetings Schulte! Thanks for the reply. So if it is a external attack I think it need to have my external IP, yet my IP it's set to be dynamic. How it's possible to someone to have my IP without me providing it? I ask it because it's pretty annoying the pop ups showing 20 daily attacks.

[Schulte]

Hi astronaut954 , if my suspicion is correct, your computer will not be attacked directly, but the attack will be distributed to all IP addresses, they will be randomly selected. Maybe you ask your provider (Telefonica Brasil?) if they know anything about the attacks and if they can do something against them.

[Flood and Flood's wife]

Network attacks 1 + year . Popups showing 20 daily attacks.

Hello astronaut954 ,

1. As well as the advice from Schulte, may we have copy of KTS REPORTS, showing BRUTEFORCE.GENERIC.RDP events, export the report, save as a text file & upload using the "upload icon" in your reply.
2. May we have a GSI & Windows logs - please upload .zip to cloud storage of your choice and post back the share link please?
3. A year is a long time, I'm a little unclear re:," I tried to reach the community, but they couldn't solve my problem", was that Kaspersky Community/Forum? Has this issue been logged with Kaspersky Technical Support?

Please let us know? Thanks. GSI/Windows doc: https://support.kaspersky.com/common/diagnostics/3632#block7 Also, the following is a link to generic Bruteforce.Generic.RDP info and other relevant articles. https://threats.kaspersky.com/en/threat/Bruteforce.Generic.RDP/

[Berny]

astronaut954 Also and in addition to above comments from Schulte and FLOOD , please submit a Wireshark Log to K-Lab Tech Support https://support.kaspersky.com/common/diagnostics/13130

[astronaut954]

Sorry for the late reply, was busy with a lot of things. Here are the archives you asked me:

1. reports-all-astronaut954.txt : it's all the reports of Kaspersky (past 30 days)
2. reports-network-astronaut954.txt : it's only the reports of the network attacks (past 30 days)
3. (GSI6_RAMOSES-PC_Ramoses_08_26_2019_09_42_48) https://drive.google.com/file/d/1MF-TslUXhKfAzRWmQHH9EGm8uNvoyaPK/view?usp=sharing : it's the GSI and Windows logs
4. (wireshark-astronaut954.pcapng) https://drive.google.com/file/d/15hUj1HV0mQtQRbT0k2wb2z8kryIfu-Rq/view?usp=sharing : it's the Wireshark Log

Also, today the total number of attacks were more than 250, as well I've noticed that the internet was REALLY slow while being constantly attacked (something that already happened in the past).

[astronaut954]

FLOOD Berny any news? I'm a little concerned about this issue, I had 550 network attacks blocked last week.

[Berny]

astronaut954 Please continue with K-Lab Technical Support https://center.kaspersky.com

[Igor Kurzin]

Hi, have you submitted a ticket to technical support? can you share the inc number with me? It looks like a false positive, that will be fixed next week. But we need to check the traces and traffic logs to say for sure. Thank you and sorry about the inconveniences caused.

Kaspersky have been reporting daily to me some network attacks for maybe more then 1 year. I've tried to reach the community later, but they couldn't solve my problem, so I'm giving it another try. Kaspersky's report says it's a "Bruteforce.Generic.Rdp.d". It is always trying to attack the TCP port 3389, I've blocked it in my firewall so it won't be a threat anymore, yet the report still showing it's attacking the port., as expected the IP never it's the same, so it's something about 20 different IP's daily. So, my questions are: how do I get rid of it? It's something I've downloaded? It's some port I've opened? How dangerous it is?

[astronaut954]

Hello, I'm back here to update you guys about the problem. The support asked me to update my windows and for some reason there were almost 800 updates in queue, don't know why my windows wasn't updating. After I update everything the network attacks stopped for more than 1 week. I'm guessing it was some important security updates that were missing. Thanks for all the help guys.

[Rasheed]

I have the same problem everyday I have  more 50 Network Attacks in our network  from Bruteforce.Generic.Rdp.a on the port 3389 RDP

Solution :

I change the port number 3389 for the windows And from then no any attack in our network it is 100% safe

1. Start the registry editor. (Type regedit in the Search box.)
2. Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
3. Find PortNumber
4. Click Edit > Modify, and then click Decimal.
5. Type the new port number, and then click OK.
6. Close the registry editor, and restart your computer.

https://docs.microsoft.com/en-US/windows-server/remote/remote-desktop-services/clients/change-listening-port