So I have been having several "Microsoft Windows Terminal server RDP over non-standard port attempt" on wich I have blocked the attackers I.P. and their country traffic. The MX successfully blocked the attacks but theres something bugging me. One of the affected machines, an NVR, is communicating with itself over its public IP address. What do I mean? the NVR private ip x.x.x.250 is reaching its NAT 1:1 x.x.x.7 IP address over TCP port 80, why this machine would establish communication with itself?
Also this same machine is establishing contact with a remotewd.com host for some reason over port 80 and 455 both TCP.
Another machine, a NAS, affected by RDP is contacting the same remotewd.com host but over ICMP.
Am I just confused and paranoid here or theres something else going on?