Unknown and strange RDP successful logins in EventViewer

Posted by Yousef on Server Fault See other posts from Server Fault or by Yousef
Published on 2011-11-17T08:03:08Z Indexed on 2011/11/17 9:56 UTC
Read the original article Hit count: 714

I have a Windows Server 2008 R2 with a valid IP, and recently I've found hundreds of unknown and strange RDP successful logins logged in EventViewer. Here are some details:

  1. They are not similar to normal logins, they happen like every second in a while even when I myself am logged in to the server.
  2. Event reads "Remote Desktop Services: User authentication succeeded" in "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", Event ID 1149
  3. They seem to use some random user accounts without a domain name. I'm pretty sure that I don't have those local user accounts, and the server doesn't belong to any domain. Legitimate RDP logins have a valid user account and workgroup name, but those logins use unknown user names without any workgroup.

Support staff couldn't help me and I'm very curious what are these strange logins. Are they some sort of brute force attack? so why does it read "Successful"? Am I being hacked? Why do they keep happening continually?

© Server Fault or respective owner

Related posts about windows-server-2008

Related posts about security