Solved

Terminal services port change

Posted on 2011-02-11
4
794 Views
Last Modified: 2012-05-11
Good day everyone,

After patching one of our 32 bit Win2K3 Terminal server servers on Wednesday it became inaccessible.

We also had a connectivity issue which was a red herring as I followed up on problems on that service but eventually that lead nowhere.

I finally determined that the terminal server service had somehow moved to port 4490 – I looked into the registry and found the oddity.

Have we been hacked?
What could cause this?

Is there a way to trace what happened / when it happened?

Thanks in advance and,

Cheers, JK

0
Comment
Question by:islandtug
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 9

Assisted Solution

by:sshah254
sshah254 earned 62 total points
ID: 34876873
Have you been hacked?  Possibly ...

What could cause this?  Some program running on the server that could make changes to the registry.  This could have happened knowingly or unknowingly.

Is there a way to trace what happened?  Unlikely.

Was there damage done?  Maybe.  Since you were not able to connect, maybe even the hacker was unable to connect.  On the other hand, maybe the hacker was smart enough to know the change and connected on that port itself.

Do you have a firewall in between?

If you do, then you may not have an external hacker problem since he would not have been able to get in (if 4490 was blocked).

But if it was internal hacking, then yes you may have compromised something.

Finally, it's software ... accidents happen ... even by MS engineers ... or IT geeks.

If you are a public limited co. ... report it ... if not, take the necessary precautions going forward.

Ss
0
 
LVL 6

Expert Comment

by:Raneesh Chitootharayil
ID: 34876951
what kind of router you are using for internet? do you have any firewall kept on your network?
0
 
LVL 8

Accepted Solution

by:
Toxacon earned 63 total points
ID: 34882158
TCP/4490 is not a commonly known port and there is no high attack activity to that port. What I could think of is that if someone was about to move the Terminal Server from port 3389 to 3390 did a typo and wrote 4490 instead.

But of cource you should check security logs etc. and do the forensics to rule out a hacking event.
0
 

Author Closing Comment

by:islandtug
ID: 34992535
Thank you everyone for your input.

We have a firewall and port 4490 is not open ergo, not an outside attack.

We have moved the service to another non standard port and have seen no traffic coming in on the original assigned 4490 ergo, I am now comfortable that this was not a hack.

FYI, we use pfSense for our router and have most of everything blocked and when we do open ports it is from specific IPs so, this has to be a typo or some kind of system error that caused this.

Thanks to everyone who posted up and,

Cheers, JK
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question