On Tue, Sep 22, 2015 at 4:05 PM, Kurt Buff <[email protected]> wrote: > Any other GPOs setting this?
No > Any local policies configured? No > What does "netstat -anop tcp | findstr 1550" reveal on an affect client? P:\utils\SysInternals Tools>netstat -anop tcp | findstr 1550 TCP 127.0.0.1:1550 0.0.0.0:0 LISTENING 2724 Apparently I have a lot of affected clients, haven't had time to check all 160+. But I am seeing it on the half dozen I am spot checking. I tried a gpupdate /force, to no effect. And I can't change it manually, it keeps changing back. > > Kurt > > On Tue, Sep 22, 2015 at 12:55 PM, Michael Leone <[email protected]> wrote: >> This is weird. I am noticing that a number of my clients of my WSUS >> 3.0 SP 2 server seem to be having their registry settings for the WSUS >> server to use, being reset. >> >> I assign the WSUS server via GPO, and this has been working fine for >> years. Now, however, I noticed the WSUS console indicates that some >> clients need a lot more updates than they should. Examining the >> clients, and looking at the reg key >> >> HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate >> >> that "WUServer" and "WUStatusServer" are both set to "http://127.0.0.1:1550";. >> >> Additionally, there is a new key >> >> HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate-{601C5C5E-2C8F-4507-B11C-CE0EC46C42F4} >> >> with the correct settings that point to my WSUS server. >> >> I tried changing the key back to my server name, and in a few seconds, >> it reverts back to "http://127.0.0.1:1550";. >> >> The GPO is set correctly. DNS is resolving for that name. Doign a >> >> http://wsus-server/selfupdate/wuident.cab >> >> does give me the wuident.txt file. >> >> So what's going on here? It seems weird to be malware, and I got no >> alerts from our AV. On the affected clients, doing a check for windows >> updates does come back and say that there are updates waiting ... >> >> Going to http://127.0.0.1:1550 gives me this: >> >> <?xml version="1.0" encoding="UTF-8"?> >> -<SOAP-ENV:Envelope >> xmlns:wusWebServiceSoap12="http://www.microsoft.com/SoftwareDistribution/WebServiceSoap12"; >> xmlns:wusWebServiceSoap="http://www.microsoft.com/SoftwareDistribution/WebServiceSoap"; >> xmlns:wusSoftwareDistribution="http://www.microsoft.com/SoftwareDistribution"; >> xmlns:wusSimpleAuthSoap12="http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService/SimpleAuthSoap12"; >> xmlns:wusSimpleAuthWebService="http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService"; >> xmlns:wusSimpleAuthSoap="http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService/SimpleAuthSoap"; >> xmlns:wusServerSyncProxySoap12="http://www.microsoft.com/SoftwareDistribution/ServerSyncProxySoap12"; >> xmlns:wusServerSyncProxySoap="http://www.microsoft.com/SoftwareDistribution/ServerSyncProxySoap"; >> xmlns:wusDssAuthWebServiceSoap12="http://www.microsoft.com/SoftwareDistribution/Server/DssAuthWebService/DssAuthWebServiceSoap12"; >> xmlns:wusIMonitorable="http://www.microsoft.com/SoftwareDistribution/Server/IMonitorable"; >> xmlns:wusDssAuthWebServiceSoap="http://www.microsoft.com/SoftwareDistribution/Server/DssAuthWebService/DssAuthWebServiceSoap"; >> xmlns:wusDssAuthWebService="http://www.microsoft.com/SoftwareDistribution/Server/DssAuthWebService"; >> xmlns:wusClientSoap12="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/ClientSoap12"; >> xmlns:wusClientWebService="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService"; >> xmlns:wusClientSoap="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/ClientSoap"; >> xmlns:wusTypes="http://microsoft.com/wsdl/types/"; >> xmlns:aklwngt="http://tempuri.org/aklwngt.xsd"; >> xmlns:param="http://tempuri"; xmlns:ns="urn:person" >> xmlns:xsd="http://www.w3.org/2001/XMLSchema"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"; >> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";>-<SOAP-ENV:Body>-<SOAP-ENV:Fault >> SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";><faultcode>SOAP-ENV:Client</faultcode><faultstring>HTTP >> Error: 404 Not >> Found</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> >> >> >> And that all looks like legit Microsoft sites, to me. >> >> > >
