So after spending a great deal of time trying to figure out why one of my customers servers had stopped responding to ports 135 and 445 (RPC), i found that someone had ran an “ipseccmd” script to run some blocking ports on the machine, for a reason that i don’t understand completely. Why on earth would a hacker want to block ports, if they want to use it to send spam through it ? Makes no sense. In any case, if you ever come across a machine that clearly has a blocked port, but there is no firewall running on that machine, check the ipsec rules. They may not show in the Local Security Policy manager, but they will show in the registry and the Security Event log straight after a reboot.
Thoughts from Jaysam Thanki