Russia was probing my ports! (And it didn't feel that good.)
I was checking the reason for a failed backup on my Windows box when luckily I noticed many failed logins and remote desktop access failures in the event log. Apparently for several days my remote desktop logins have been under brute-force attack. I logged into my server and found the same thing. The IP addresses that are the source of the attack point to Russia and Ukraine.
So I shut down remote desktop access to both machines. Set up a IP-address specific firewall in case it needs to get turned on for any reason. (I haven't been using it much recently anyway.) I had mapped RDA to an alternative port, but that was weak security at best. I also looked at the logs of logins on both machines and there were no unrecognized successful logins. I ran a virus and root-kit scan just in case, that came out clean.
I think I got lucky -- I suggest shutting down remote desktop access unless you're actively using it, or setting up a firewall exception that only lets known IP addresses through.