Solved

Terminal services port change

Posted on 2011-02-11
4
780 Views
Last Modified: 2012-05-11
Good day everyone,

After patching one of our 32 bit Win2K3 Terminal server servers on Wednesday it became inaccessible.

We also had a connectivity issue which was a red herring as I followed up on problems on that service but eventually that lead nowhere.

I finally determined that the terminal server service had somehow moved to port 4490 – I looked into the registry and found the oddity.

Have we been hacked?
What could cause this?

Is there a way to trace what happened / when it happened?

Thanks in advance and,

Cheers, JK

0
Comment
Question by:islandtug
4 Comments
 
LVL 9

Assisted Solution

by:sshah254
sshah254 earned 62 total points
Comment Utility
Have you been hacked?  Possibly ...

What could cause this?  Some program running on the server that could make changes to the registry.  This could have happened knowingly or unknowingly.

Is there a way to trace what happened?  Unlikely.

Was there damage done?  Maybe.  Since you were not able to connect, maybe even the hacker was unable to connect.  On the other hand, maybe the hacker was smart enough to know the change and connected on that port itself.

Do you have a firewall in between?

If you do, then you may not have an external hacker problem since he would not have been able to get in (if 4490 was blocked).

But if it was internal hacking, then yes you may have compromised something.

Finally, it's software ... accidents happen ... even by MS engineers ... or IT geeks.

If you are a public limited co. ... report it ... if not, take the necessary precautions going forward.

Ss
0
 
LVL 6

Expert Comment

by:Raneesh Chitootharayil
Comment Utility
what kind of router you are using for internet? do you have any firewall kept on your network?
0
 
LVL 8

Accepted Solution

by:
Toxacon earned 63 total points
Comment Utility
TCP/4490 is not a commonly known port and there is no high attack activity to that port. What I could think of is that if someone was about to move the Terminal Server from port 3389 to 3390 did a typo and wrote 4490 instead.

But of cource you should check security logs etc. and do the forensics to rule out a hacking event.
0
 

Author Closing Comment

by:islandtug
Comment Utility
Thank you everyone for your input.

We have a firewall and port 4490 is not open ergo, not an outside attack.

We have moved the service to another non standard port and have seen no traffic coming in on the original assigned 4490 ergo, I am now comfortable that this was not a hack.

FYI, we use pfSense for our router and have most of everything blocked and when we do open ports it is from specific IPs so, this has to be a typo or some kind of system error that caused this.

Thanks to everyone who posted up and,

Cheers, JK
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now