Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected server or undocumented change by MS?


  • Please log in to reply
2 replies to this topic

#1 fuxer

fuxer

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:11:09 PM

Posted 05 November 2014 - 07:17 AM

Hi!

 

We have a really strange issue here. A lot of our computers are hanging on login and logout. After a bit of troubleshooting we discovered that our firewall are blocking requests from the computers on port 5102 towards the domain controllers.

 

This is a port that always have been blocked. When we created an exception for the computers login works perfectly again. It seems like LSASS is the listening service.

 

We can't find any article or documentation on this issue, and it started probably over the weekend.

Anyone who experienced this?

 

Edit: Trend Micro OfficeScan is installed on both servers and we've done full scan with malwarebytes


Edited by hamluis, 05 November 2014 - 08:10 AM.
Moved from Win Server to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 06 November 2014 - 06:30 PM

Pretty unusual to be filtering ports on a lan.  Why?

 

http://technet.microsoft.com/en-us/library/cc875824.aspx

 

doesn't show port 5102 being used by a MS service.  Lsass uses random ports.



#3 fuxer

fuxer
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:11:09 PM

Posted 12 November 2014 - 08:08 AM

Pretty unusual to be filtering ports on a lan.  Why?

 

http://technet.microsoft.com/en-us/library/cc875824.aspx

 

doesn't show port 5102 being used by a MS service.  Lsass uses random ports.

We figured out this one. Some guys in our IT department in Sweden had suddenly changed RPC ports without telling us about it.

And we're filtering ports on LAN because we have hundreds of employees working with different high security developent projects. People are only supposed to reach the servers they need access to.


Edited by fuxer, 12 November 2014 - 08:10 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users