Solved

Terminal services port change

Posted on 2011-02-11
4
792 Views
Last Modified: 2012-05-11
Good day everyone,

After patching one of our 32 bit Win2K3 Terminal server servers on Wednesday it became inaccessible.

We also had a connectivity issue which was a red herring as I followed up on problems on that service but eventually that lead nowhere.

I finally determined that the terminal server service had somehow moved to port 4490 – I looked into the registry and found the oddity.

Have we been hacked?
What could cause this?

Is there a way to trace what happened / when it happened?

Thanks in advance and,

Cheers, JK

0
Comment
Question by:islandtug
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 9

Assisted Solution

by:sshah254
sshah254 earned 62 total points
ID: 34876873
Have you been hacked?  Possibly ...

What could cause this?  Some program running on the server that could make changes to the registry.  This could have happened knowingly or unknowingly.

Is there a way to trace what happened?  Unlikely.

Was there damage done?  Maybe.  Since you were not able to connect, maybe even the hacker was unable to connect.  On the other hand, maybe the hacker was smart enough to know the change and connected on that port itself.

Do you have a firewall in between?

If you do, then you may not have an external hacker problem since he would not have been able to get in (if 4490 was blocked).

But if it was internal hacking, then yes you may have compromised something.

Finally, it's software ... accidents happen ... even by MS engineers ... or IT geeks.

If you are a public limited co. ... report it ... if not, take the necessary precautions going forward.

Ss
0
 
LVL 6

Expert Comment

by:Raneesh Chitootharayil
ID: 34876951
what kind of router you are using for internet? do you have any firewall kept on your network?
0
 
LVL 8

Accepted Solution

by:
Toxacon earned 63 total points
ID: 34882158
TCP/4490 is not a commonly known port and there is no high attack activity to that port. What I could think of is that if someone was about to move the Terminal Server from port 3389 to 3390 did a typo and wrote 4490 instead.

But of cource you should check security logs etc. and do the forensics to rule out a hacking event.
0
 

Author Closing Comment

by:islandtug
ID: 34992535
Thank you everyone for your input.

We have a firewall and port 4490 is not open ergo, not an outside attack.

We have moved the service to another non standard port and have seen no traffic coming in on the original assigned 4490 ergo, I am now comfortable that this was not a hack.

FYI, we use pfSense for our router and have most of everything blocked and when we do open ports it is from specific IPs so, this has to be a typo or some kind of system error that caused this.

Thanks to everyone who posted up and,

Cheers, JK
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question