Terminal services port change

Good day everyone,

After patching one of our 32 bit Win2K3 Terminal server servers on Wednesday it became inaccessible.

We also had a connectivity issue which was a red herring as I followed up on problems on that service but eventually that lead nowhere.

I finally determined that the terminal server service had somehow moved to port 4490 – I looked into the registry and found the oddity.

Have we been hacked?
What could cause this?

Is there a way to trace what happened / when it happened?

Thanks in advance and,

Cheers, JK

islandtugAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
ToxaconConnect With a Mentor Commented:
TCP/4490 is not a commonly known port and there is no high attack activity to that port. What I could think of is that if someone was about to move the Terminal Server from port 3389 to 3390 did a typo and wrote 4490 instead.

But of cource you should check security logs etc. and do the forensics to rule out a hacking event.
0
 
sshah254Connect With a Mentor Commented:
Have you been hacked?  Possibly ...

What could cause this?  Some program running on the server that could make changes to the registry.  This could have happened knowingly or unknowingly.

Is there a way to trace what happened?  Unlikely.

Was there damage done?  Maybe.  Since you were not able to connect, maybe even the hacker was unable to connect.  On the other hand, maybe the hacker was smart enough to know the change and connected on that port itself.

Do you have a firewall in between?

If you do, then you may not have an external hacker problem since he would not have been able to get in (if 4490 was blocked).

But if it was internal hacking, then yes you may have compromised something.

Finally, it's software ... accidents happen ... even by MS engineers ... or IT geeks.

If you are a public limited co. ... report it ... if not, take the necessary precautions going forward.

Ss
0
 
RaneeshIT SupportCommented:
what kind of router you are using for internet? do you have any firewall kept on your network?
0
 
islandtugAuthor Commented:
Thank you everyone for your input.

We have a firewall and port 4490 is not open ergo, not an outside attack.

We have moved the service to another non standard port and have seen no traffic coming in on the original assigned 4490 ergo, I am now comfortable that this was not a hack.

FYI, we use pfSense for our router and have most of everything blocked and when we do open ports it is from specific IPs so, this has to be a typo or some kind of system error that caused this.

Thanks to everyone who posted up and,

Cheers, JK
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.