svchost.exe RTP Connection blocked

[Infernus]

Hello! So I was recently playing a game 4 days ago. Then the malwarebytes showed me an information: RTP Connection Blocked Category: Compromised, IP: 103.133.109.116, Domain: N/A, Port: 48888, Type: Inbound Connection. I am worried if I have been infected, please help. I'm attaching the file with the RTP connection blocked.

suspiciousip.txt

[Dashke]

This is a legit detection, Malwarebytes has blocked an RDP attack.

[Infernus]

What does it mean? I get it almost everytime I launch my computer.

 

[Infernus]

Alright, I have added this ip to windows firewall protection as a blocked ip. Hope it works.

[AlexSmith]

3 hours ago, Infernus said:

Alright, I have added this ip to windows firewall protection as a blocked ip. Hope it works.

Good call. It doesn't hurt to have that extra layer of firewall protection.

With that being said, I can help answer your original follow up question. Essentially, you are seeing an alert where Malwarebytes successfully blocked an inbound connection attempt from a known compromised network used for brute force RDP attacks. The connection attempt was with an instance of the Windows Service Host Process (svchost.exe) which is used to run Windows Services. In turn, Remote Desktop Services (TermServ - termsrv.dll) is an example of a Windows Service that is hosted within svchost.exe.

Lastly, I'm not sure what your local network is comprised of, but it would be a good idea to make sure you have a quality router that provides an SPI Firewall and has options to help block incoming RDP connections. Most routers from companies like Linksys, Netgear, and Asus include these types of security features.

[Infernus]

Hello!

Thank you for a reply. I blocked it, but then another IP showed up getting blocked from malwarebytes. I'm confused, what should I do? 

 

[AlexSmith]

@Infernus the most recent block is also from an IP used to perform brute force RDP attacks. Like the previous one, Malwarebytes was able to successfully prevent the inbound connection from occurring.

Unfortunately, this could be a situation where your current IP provided by your ISP is on a list of potential exploitable victims and the attackers are just trying to connect by any means necessary. I know that can be annoying, but there isn't much we can do here since the attempts are happening and we are keeping you safe.

Like I mentioned in my previous post, you may want to see if your router provides an SPI Firewall as that can help prevent brute force and DDoS attempts.

[exile360]

I checked to see if there were any tools you could use to better deal with RDP brute force attacks and found an article referencing two free options available on Github:

https://github.com/devnulli/EvlWatcher
https://github.com/DigitalRuby/IPBan

That may help while you're researching a solution higher up the network stack/chain (i.e. your modem/router etc.).

[Porthos]

3 hours ago, Infernus said:

I'm confused, what should I do? 

Do you use or need Windows remote desktop?

I  am thinking disabling it. https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

[exile360]

41 minutes ago, Porthos said:

Do you use or need Windows remote desktop?

I  am thinking disabling it. https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

Yep, that's what I do since I never use it.  It's a good idea if RDP isn't needed for anything.  You can kill Remote Assistance too if you don't use that (though theoretically, it shouldn't be possible for anyone to connect via Remote Assistance unless they are invited to do so by default).