Jump to content

svchost.exe RTP Connection blocked


Recommended Posts

Hello! So I was recently playing a game 4 days ago. Then the malwarebytes showed me an information: RTP Connection Blocked Category: Compromised, IP: 103.133.109.116, Domain: N/A, Port: 48888, Type: Inbound Connection. I am worried if I have been infected, please help. I'm attaching the file with the RTP connection blocked.

suspiciousip.txt

Link to post
Share on other sites

  • Administrators
3 hours ago, Infernus said:

Alright, I have added this ip to windows firewall protection as a blocked ip. Hope it works.

Good call. It doesn't hurt to have that extra layer of firewall protection.

With that being said, I can help answer your original follow up question. Essentially, you are seeing an alert where Malwarebytes successfully blocked an inbound connection attempt from a known compromised network used for brute force RDP attacks. The connection attempt was with an instance of the Windows Service Host Process (svchost.exe) which is used to run Windows Services. In turn, Remote Desktop Services (TermServ - termsrv.dll) is an example of a Windows Service that is hosted within svchost.exe.

Lastly, I'm not sure what your local network is comprised of, but it would be a good idea to make sure you have a quality router that provides an SPI Firewall and has options to help block incoming RDP connections. Most routers from companies like Linksys, Netgear, and Asus include these types of security features.

Link to post
Share on other sites

  • Administrators

@Infernus the most recent block is also from an IP used to perform brute force RDP attacks. Like the previous one, Malwarebytes was able to successfully prevent the inbound connection from occurring.

Unfortunately, this could be a situation where your current IP provided by your ISP is on a list of potential exploitable victims and the attackers are just trying to connect by any means necessary. I know that can be annoying, but there isn't much we can do here since the attempts are happening and we are keeping you safe.

Like I mentioned in my previous post, you may want to see if your router provides an SPI Firewall as that can help prevent brute force and DDoS attempts.

  • Like 1
Link to post
Share on other sites

I checked to see if there were any tools you could use to better deal with RDP brute force attacks and found an article referencing two free options available on Github:

https://github.com/devnulli/EvlWatcher
https://github.com/DigitalRuby/IPBan

That may help while you're researching a solution higher up the network stack/chain (i.e. your modem/router etc.).

Link to post
Share on other sites

41 minutes ago, Porthos said:

Do you use or need Windows remote desktop?

I  am thinking disabling it. https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

Yep, that's what I do since I never use it.  It's a good idea if RDP isn't needed for anything.  You can kill Remote Assistance too if you don't use that (though theoretically, it shouldn't be possible for anyone to connect via Remote Assistance unless they are invited to do so by default).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.