ASUS RT-AC1900P Continued attempts on 3389

jraymond4321

New Around Here
Hi, I have a ASUS RT-AC1900P running Merlin v 386.4. My home PC is running a wired connection. I utilize Remote Desktop into my PC at various times. I have port 3390 forwarded to 3389 for my home PC, and I also have 3391 forwarded to 3389 for a virtual machine I sometimes run.

On my home PC, I've noticed thousands of logon failures to port 3389 in the Event Viewer/Windows Logs/Security. If I clear the log, I'll have 10 or so entries within a second or 2.

I'm now running Malwarebytes to intercept the attempts.

On my router, when I look at the System Log - Active Connections, I see the various IP's that are attempting under the NAT IP, and then various entries under the NAT Port, all attempting to connect to my home PC (Destination IP) on port 3389. The state on all of these is SYS_SENT.
For example:
Prot NAT Address NAT Port Destination IP Port State
TCP 89.248.173.201 49562 My PC 3389 SYS_SENT
TCP 80.82.65.19 25135 My PC 3389 SYS_SENT
TCP 80.82.65.19 57978 My PC 3389 SYS_SENT

I have a couple of questions. First, why is the NAT Port from the spamming IP's changing? Does this indicate something on my PC is initiating the action (ie virus)? How does the NAT port know to resolve to 3389? Is there some way to block this activity?

Thanks in advance.
 

ColinTaylor

Part of the Furniture
This is normal port scanning/hacking attempts. That's what you should expect when you expose commonly used ports to the internet.

For example: https://www.abuseipdb.com/check/89.248.173.201

To significantly reduce the number of attempts change the public port to a random non-obvious number between 5001 and 32767.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top