Many IP attempt scanning attack to 3389 port

If you opened 3389 port outside by mistake, you might be get log message like ’ +&Cookie: mstshash=hello ', ’ Cookie: *mstshash=A’, '/Cookie: mstshash=Administr’ .

This message means attempting to connect to your computer or server. It is trace of scanning attack

When you search this log on google, you can get result of most attack attempted from Russia IP.

There are 517 scanner attack to 3389 port. Of the 517 attacks, it can be confirmed that there are 392 attacks on the Chinese IP and 26 attacks on the Russian IP.


Port 3389 is for Windows Remote Desktop Protocol (RDP). Bots scan the internet constantly for common service ports like that. Best practice is to never allow access to those services directly from the internet, and to access via a secure VPN connection instead.

Windows remote desktop is by default port 3389 but you can configure it to basically any port not in use, a vpn is indeed the more secure but isn’t available to all users (vpn comes usually with a cost whether you set up one yourself or you pay for a service → I don’t trust free vpns)

Of 517 attacks, 28 is most? And 317 is not?

When I search ‘scanner_port’ keyword that search engine. I returned 517 results. and just below Top countries of IP’s whois data

Ohh, so how exactly can i check my scan history?

I’m in Ukraine, so it it relevant for sure

if you operate server on ngnix, check /var/log/nginx/access.log.

If you search your server IP in this search engine you can know which port open outside , has any vulnerability, etc.

If you open 3389 to the internet, you’re gonna have a bad time.

If you open Rdp to the internet you Will have a bad time*

Any service you put on the internet will be scanned and attacked multiple times a day.