Discussion:
Dasboard and port 1025 scanning?
(too old to reply)
Ruth Aylett
2006-05-19 08:04:41 UTC
Permalink
I take my recent Powerbook into work sometimes and attach it to the
network. Today I was told:

"the machine attempted to connect to UDP port 1025 on at least 20 machines
on the subnet, which consists mainly of Windows XP machines in <another
dept>. It tried each machine a number of times. The source port started at
53727 and
increased each time, finishing off at port 54846."

Now my laptop, running Tiger, does not have a virus according to a scan I
then carried out with the latest version of Virex 7.7. I wondered whether
this behaviour was actually coming from widgets mounted on the Dashboard?
The port is said to be for BlackJack (but I have no gambling apps) but
also to be the first output port given to an app by the OS if it does not
specify one. It is described as: System V R3 listener; used by uucp.

Has anyone else noticed this behaviour? If not Dashboard, can anyone think
of anyhting else that might be doing this? It is causing a certain amount
of panic and alarm and i'd really like to get to the bottom of it.
David Stone
2006-05-19 12:01:32 UTC
Permalink
Post by Ruth Aylett
I take my recent Powerbook into work sometimes and attach it to the
"the machine attempted to connect to UDP port 1025 on at least 20 machines
on the subnet, which consists mainly of Windows XP machines in <another
dept>. It tried each machine a number of times. The source port started at
53727 and
increased each time, finishing off at port 54846."
http://www.iana.org/assignments/port-numbers says:

blackjack 1025/tcp network blackjack
blackjack 1025/udp network blackjack
# Unknown contact

A google search pulls up a few references.

From 2003, seems to be a Windows problem:
http://www.grc.com/port_1025.htm

Microsoft launched "Universal plug'n'play" which made
use of port 1025:
http://www.governmentsecurity.org/archive/t10781.html

There also seem to be a lot of casino game sites
promoting blackjack - probably no coincidence if
they use the same port number...

From http://www.macdevcenter.com/pub/a/mac/2005/03/15/firewall.html
[quote]
1025
Officially the port used by blackjack servers but also used by a
backdoor trojan called PWSteal.ABCHlp. Again, I am being scanned by a
computer looking for a backdoor.
[/quote]

The most Mac-related seemed to be this:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033757.html

- are you running OS X, or OS X server?

- have you been playing on-line blackjack at home?

- is your system software up-to-date (10.4.6)?

- what is the release date for your virus definitions?

- what date was the last complete scan?
Ruth Aylett
2006-05-19 15:21:27 UTC
Permalink
Post by David Stone
Post by Ruth Aylett
I take my recent Powerbook into work sometimes and attach it to the
"the machine attempted to connect to UDP port 1025 on at least 20 machines
on the subnet, which consists mainly of Windows XP machines in <another
dept>. It tried each machine a number of times. The source port started at
53727 and
increased each time, finishing off at port 54846."
[/quote]
http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033757.html
- are you running OS X, or OS X server?
OS X
Post by David Stone
- have you been playing on-line blackjack at home?
No - not my thing at all. I have never played any online games, still less
gambling.
Post by David Stone
- is your system software up-to-date (10.4.6)?
Yes.
Post by David Stone
- what is the release date for your virus definitions?
I uploaded the evaluation copy of virex 7.7 yesterday and ran a complete
scan. It found nothing. So the definitions must be up to date I think.
This scanning behaviour is not new - I was told the same a month or two
back.
Tom Stiller
2006-05-19 15:44:15 UTC
Permalink
Post by Ruth Aylett
I take my recent Powerbook into work sometimes and attach it to the
"the machine attempted to connect to UDP port 1025 on at least 20
machines on the subnet, which consists mainly of Windows XP machines
in <another dept>. It tried each machine a number of times. The
source port started at 53727 and increased each time, finishing off
at port 54846."
Now my laptop, running Tiger, does not have a virus according to a
scan I then carried out with the latest version of Virex 7.7. I
wondered whether this behaviour was actually coming from widgets
mounted on the Dashboard? The port is said to be for BlackJack (but I
have no gambling apps) but also to be the first output port given to
System V R3 listener; used by uucp.
Has anyone else noticed this behaviour? If not Dashboard, can anyone
think of anyhting else that might be doing this? It is causing a
certain amount of panic and alarm and i'd really like to get to the
bottom of it.
You might find the culprit by running the 'lsof' command, e.g.
'lsof -i udp' will find all processes using the udp protocol on all
internet and x.25 network files.
--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3
7BDA 71ED 6496 99C0 C7CF
Ruth Aylett
2006-05-19 15:53:36 UTC
Permalink
Post by Tom Stiller
Post by Ruth Aylett
I take my recent Powerbook into work sometimes and attach it to the
"the machine attempted to connect to UDP port 1025 on at least 20
machines on the subnet, which consists mainly of Windows XP machines
in <another dept>. It tried each machine a number of times. The
source port started at 53727 and increased each time, finishing off
at port 54846."
Now my laptop, running Tiger, does not have a virus according to a
scan I then carried out with the latest version of Virex 7.7. I
wondered whether this behaviour was actually coming from widgets
mounted on the Dashboard? The port is said to be for BlackJack (but I
have no gambling apps) but also to be the first output port given to
System V R3 listener; used by uucp.
Has anyone else noticed this behaviour? If not Dashboard, can anyone
think of anyhting else that might be doing this? It is causing a
certain amount of panic and alarm and i'd really like to get to the
bottom of it.
You might find the culprit by running the 'lsof' command, e.g.
'lsof -i udp' will find all processes using the udp protocol on all
internet and x.25 network files.
Tried this, and skype was all that came up. Closed it and there is
nothing. Well, the problem seemed to still occur with skype not running -
and my desk machine is running skype too (admittedly under OS X 10.3.9)
without causing this behaviour.
Tom Stiller
2006-05-19 19:38:09 UTC
Permalink
Post by Ruth Aylett
Post by Tom Stiller
Post by Ruth Aylett
I take my recent Powerbook into work sometimes and attach it to the
"the machine attempted to connect to UDP port 1025 on at least 20
machines on the subnet, which consists mainly of Windows XP machines
in <another dept>.
[snip]
Post by Ruth Aylett
Post by Tom Stiller
You might find the culprit by running the 'lsof' command, e.g.
'lsof -i udp' will find all processes using the udp protocol on all
internet and x.25 network files.
Tried this, and skype was all that came up. Closed it and there is
nothing. Well, the problem seemed to still occur with skype not running -
and my desk machine is running skype too (admittedly under OS X 10.3.9)
without causing this behaviour.
The confusion about blackjack is probably due to the fact that UDP port
1025 is assigned to "blackjack" in /etc/services.

If you have X-Windows installed, you could run the program ethereal to
capture a packet being sent and examine its contents for a clue to the
culprit.

Another possibility is to compile a small program to listen on UDP port
1025 and capture the data. Below is the source for a trivial
application to listen on the UDP port specified on the command line. If
it is compiled as 'dgramread', invoke it as 'dgramread 1025'.

-------------------------------------------------------------------------
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>

/*
* This program creates a datagram socket, binds a name to it, then reads
* from the socket.
*/
main(argc, argv)
int argc;
char **argv;
{
int sock, length;
struct sockaddr_in name;
char buf[1024];

/* Create socket from which to read. */
sock = socket(AF_INET, SOCK_DGRAM, 0);
if (sock < 0) {
perror("opening datagram socket");
exit(1);
}
/* Create name with wildcards. */
name.sin_family = AF_INET;
name.sin_addr.s_addr = INADDR_ANY;
name.sin_port = htons((argc > 1) ? atoi(argv[1]) : 2099);
if (bind(sock, &name, sizeof(name))) {
perror("binding datagram socket");
exit(1);
}
/* Find assigned port value and print it out. */
length = sizeof(name);
if (getsockname(sock, &name, &length)) {
perror("getting socket name");
exit(1);
}
printf("Socket has port #%d\n", ntohs(name.sin_port));
/* Read from the socket */
if (read(sock, buf, 1024) < 0)
perror("receiving datagram packet");
printf("-->%s\n", buf);
close(sock);
}
--
Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3
7BDA 71ED 6496 99C0 C7CF
Loading...