Home > OS >  Why are there strange IPs when I query Get-NetTCPConnection -LocalPort 3389
Why are there strange IPs when I query Get-NetTCPConnection -LocalPort 3389

Time:05-18

I am trying to determine if I am connected through RDP and store the client IP in an environment variable with a scheduled task which runs whenever I log on. My plan is to find the established connection to the 3389 port. However, I am seeing strange IPs which are not even in the subnet of the local address it's accessing. For example:

LocalAddress                        LocalPort RemoteAddress                       RemotePort State
------------                        --------- -------------                       ---------- -----
::                                  3389      ::                                  0          Listen
192.168.1.136                       3389      195.78.54.160                       57803      Established
192.168.1.136                       3389      192.168.1.138                       58194      Established
0.0.0.0                             3389      0.0.0.0                             0          Listen

It does show 192.168.1.138 from which I RDP into the server, but there is also a connection from 195.78.54.160 which I do not recognize at all. When I do this query repeatedly, these strange connections can change from time to time to IPs like 191.96.185.224. Sometimes, there are two such connections at one time. What are these connections? By IP lookup, these IPs are owned by PIA VPN which I had never heard of before (I cannot find it installed anywhere either). What does that have to do with RDP in my local network whatsoever? If they are there by design, how do I filter them out?

CodePudding user response:

Scans of the Internet are commonplace and made by actors of varying degrees of legitimacy, some benign and some not. It would not be unexpected to see such connections on a publicly exposed machine. RDP does not fall in to the category of service that you would want to expose to the whole Internet.

As you state, and the output shows, you machine has a private RFC1918 address. I would check your firewall/router and see if it is doing port forwarding from its public IP address to your private LAN address.

  • Related