Solved

Terminal services port change

Posted on 2011-02-11
4
788 Views
Last Modified: 2012-05-11
Good day everyone,

After patching one of our 32 bit Win2K3 Terminal server servers on Wednesday it became inaccessible.

We also had a connectivity issue which was a red herring as I followed up on problems on that service but eventually that lead nowhere.

I finally determined that the terminal server service had somehow moved to port 4490 – I looked into the registry and found the oddity.

Have we been hacked?
What could cause this?

Is there a way to trace what happened / when it happened?

Thanks in advance and,

Cheers, JK

0
Comment
Question by:islandtug
4 Comments
 
LVL 9

Assisted Solution

by:sshah254
sshah254 earned 62 total points
ID: 34876873
Have you been hacked?  Possibly ...

What could cause this?  Some program running on the server that could make changes to the registry.  This could have happened knowingly or unknowingly.

Is there a way to trace what happened?  Unlikely.

Was there damage done?  Maybe.  Since you were not able to connect, maybe even the hacker was unable to connect.  On the other hand, maybe the hacker was smart enough to know the change and connected on that port itself.

Do you have a firewall in between?

If you do, then you may not have an external hacker problem since he would not have been able to get in (if 4490 was blocked).

But if it was internal hacking, then yes you may have compromised something.

Finally, it's software ... accidents happen ... even by MS engineers ... or IT geeks.

If you are a public limited co. ... report it ... if not, take the necessary precautions going forward.

Ss
0
 
LVL 6

Expert Comment

by:Raneesh Chitootharayil
ID: 34876951
what kind of router you are using for internet? do you have any firewall kept on your network?
0
 
LVL 8

Accepted Solution

by:
Toxacon earned 63 total points
ID: 34882158
TCP/4490 is not a commonly known port and there is no high attack activity to that port. What I could think of is that if someone was about to move the Terminal Server from port 3389 to 3390 did a typo and wrote 4490 instead.

But of cource you should check security logs etc. and do the forensics to rule out a hacking event.
0
 

Author Closing Comment

by:islandtug
ID: 34992535
Thank you everyone for your input.

We have a firewall and port 4490 is not open ergo, not an outside attack.

We have moved the service to another non standard port and have seen no traffic coming in on the original assigned 4490 ergo, I am now comfortable that this was not a hack.

FYI, we use pfSense for our router and have most of everything blocked and when we do open ports it is from specific IPs so, this has to be a typo or some kind of system error that caused this.

Thanks to everyone who posted up and,

Cheers, JK
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question