Meraki

DanIsTaken · ‎Aug 22 2019

Hello and good part of the day you are!

So I have been having several "Microsoft Windows Terminal server RDP over non-standard port attempt" on wich I have blocked the attackers I.P. and their country traffic. The MX successfully blocked the attacks but theres something bugging me. One of the affected machines, an NVR, is communicating with itself over its public IP address. What do I mean? the NVR private ip x.x.x.250 is reaching its NAT 1:1 x.x.x.7 IP address over TCP port 80, why this machine would establish communication with itself?

Also this same machine is establishing contact with a remotewd.com host for some reason over port 80 and 455 both TCP.

Another machine, a NAS, affected by RDP is contacting the same remotewd.com host but over ICMP.

Am I just confused and paranoid here or theres something else going on?

PhilipDAth · ‎Aug 22 2019

Note that the RDP over non-stand port warning is really only an issue if you have NAT'ed through ports to an machine offering RDP on a non-standard port.

Otherwise you can ignore this.

View solution in original post

SoCalRacer · ‎Aug 22 2019

From my understanding remotewd.com is a Western Digital cloud backup service. Are these devices doing cloud backup/sync?

My guess on the NVR is is verifying it is publicly accessible, might need to contact the vendor of the devices though.

PhilipDAth · ‎Aug 22 2019

Note that the RDP over non-stand port warning is really only an issue if you have NAT'ed through ports to an machine offering RDP on a non-standard port.

Otherwise you can ignore this.

Meraki

Community

Device talking to itself

Device talking to itself