Lately, i’ve seen many event id 56 on our remote server.
it says ‘The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Client IP: 220.127.116.11.’
Most of the client IPs belong to our users. Many of them are from countries like Russian and Germany.
I look up for ‘18.104.22.168’ and it is from Russia. I have enabled port forwarding on our remote server so it is no longer 3389.
i wonder if this is just port scanning that h a c k e r s do or our server has been compromised ? any help is appreciated. TIA