I have a Windows Server 2008 R2 with a valid IP, and recently I've found hundreds of unknown and strange RDP successful logins logged in EventViewer. Here are some details:
- They are not similar to normal logins, they happen like every second in a while even when I myself am logged in to the server.
- Event reads "Remote Desktop Services: User authentication succeeded" in "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", Event ID 1149
- They seem to use some random user accounts without a domain name. I'm pretty sure that I don't have those local user accounts, and the server doesn't belong to any domain. Legitimate RDP logins have a valid user account and workgroup name, but those logins use unknown user names without any workgroup.
Support staff couldn't help me and I'm very curious what are these strange logins. Are they some sort of brute force attack? so why does it read "Successful"? Am I being hacked? Why do they keep happening continually?
EDIT: I like to point out again that these accounts DO NOT EXIST on the server. I wonder why should there be a successful RDP login from a user account which does not exist. (e.g. has no user profile folder)
Best Answer
Just because no user directory exists does not mean that users do not exist. Check the local user and service accounts in the MMC to validate that they really do not exist.
These symptoms are usually a sign of an RDP worm traversing a network. Also validate that any anti-malware utility you're running is up to date and run a full scan on that machine. If there is an RDP worm and there were successful logins then chances are that you're already infected.