This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Could “tsclient” on my network indicate an attack?

1

"tsclient" recently appeared on a Windows 8 machine we have on our network. Reading around, it sounds like this is typically used for remote desktop applications. However, I haven't used any remote desktop services. (Unless some indirect application uses them? xbox glass?)

Could the appearance of tsclient indicate some sort of attack on my network? If so, what steps should I take to investigate?

Thank you for any help.

asked 21 Mar '13, 11:49

wheaton4prez's gravatar image

wheaton4prez
26114
accept rate: 0%


One Answer:

4

You need to be clear what you mean by "appeared". When you use RDP (remote desktop or Windows terminal services) to connect to another machine (for support reasons or to run an application), your local machine is seen by the remote machine as "\\tsclient". This allows you mount say a local drive or local printer as if it was connected to the machine. So on the remote machine "\\tclient\c$" would map to your local machines "C:\"

If you are allowing TCP port 3389 (the default port) in from other networks (for instance the Internet) and your machines are running the Remote Desktop service or Terminal Server service (not sure the exact name) then potential others can connect to your machine.

answered 21 Mar '13, 18:13

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

Thank you for your response. I should have clarified where tsclient appeared.

It was in the list of "Computer"s in the Network page of Windows Explorer. I did a reboot and it re-appeared in the same list along with computers that I know of on the network.

(21 Mar '13, 18:32) wheaton4prez

Then, I systematically went around the house powering down all of our machines to see if one of them was causing it. Eventually, I had the machine completely isolated. Wireless was turned off. Modem disconnected from router. All LAN machines unplugged from router. But, it still listed tsclient as a computer on the network. After I rebooted with everything disconnected, it was gone. I reconnected all devices as before and it hasn't returned.

(21 Mar '13, 18:32) wheaton4prez

These symptoms concern me because it seems consistent with someone gaining a remote connection somehow and then deciding to disconnect while I was troubleshooting.

I have not knowingly allowed port 3389 (or any other port for that matter). I have never run Remote Desktop or Terminal Services with this machine. Though, it's possible that they are on by default? (Windows 8)

(21 Mar '13, 18:32) wheaton4prez

I don't have Win 8, but on Win7you can see the Remote Settings under My Computer:Properties. It shouldn't be allowed by default.

If I allow remote desktop, and run below from CMD, I get :-

C:\Users\me>netstat -an | find ":3389"

TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING

TCP [::]:3389 [::]:0 LISTENING

If Remote Desktop is not allowed, I get no result (which means there are no listeners).

My understanding is the "\\tsclient" would only appear in your Network folder after someone has connected to your machine via remote desktop.

(21 Mar '13, 19:23) martyvis

Thank you. This is very helpful.

I looked in Remote Settings. "Allow Remote Assistance connections to this computer" is indeed checked. I never selected that. So, it was either by default in Windows 8 or it was somehow switched on without me knowing.

There is a separate section for "Remote Desktop" and "Don't allow remote connections to this computer" is selected.

I ran the netstat command you list and I got nothing. So, it didn't appear to be listening.

Given that information, do you think it's likely/possible that an uninvited connection was made? Would they have access to anything?

(21 Mar '13, 21:20) wheaton4prez

From what I've read, a person has to be "invited" in order to start Remote Assistance. This raises several questions:

Would there be a log somewhere of the invite and connection?

If someone tried to connect through remote assistance but failed due to lack of invite, might it still show tsclient on the network?

If someone successfully remoted in to a different computer on the network, is it possible that they would show on this computer as tsclient?

Does anyone know if there is a documented way/malware/etc. for a hacker to invite themselves into a Remote Assistance session?

Thanks again!

(21 Mar '13, 21:51) wheaton4prez
showing 5 of 6 show 1 more comments