Everyone makes security errors now and then. On one of my servers I had port 1025 open (at one time i had needed this for a test, but forgot to close it again on the router).
I recently noticed that several people were connected on that port to the server, and observed that a connection would be succesful via telnet to port 1025 (no banner).
Does anyone know what service is running on port 1025 under Win XP, and whether it poses a security risk?
Thanks
Full Version: Port 1025
1025 is NetWork BlackJack, i dont think there re any workable exploits to exploit it though.
Someone could have set up a FTP Server on this port.
if network blackjack is already running on the port then i dont think that would be possible, as the port would already be in use (people were connected to tcp 1025, and telnetting to tcp 1025 was succesful, but no banner appeared).
I'll try and ftp client on it to be sure and confirm that network blackjack service has not been disabled
Thanks guys
I'll try and ftp client on it to be sure and confirm that network blackjack service has not been disabled
Thanks guys
1025, is a port that mirc uses for dcc sends maybe u been hacked and some kiddie but a rootkit on your pc?
No, i dont think so. I've run a network sniffer, and there is no abnormal network activity (irc connections etc). I think it was just a few idiots running a port scan on my external ip address, and picked up on open 1025.
The server in question now only has port 80 open for webserving (and ive run rkdetector to check for public rootkits). Hopefully all is ok now.
Oh something else popped to mind unrelated, try using the Start - Search feature in XP. Notice the connection to sc.windows.com...M$ is spying on you! Apparently it passes your search text back to M$!
I wonder how this fits in with data protection legislation, im sure M$ should ask permission 1st!
The server in question now only has port 80 open for webserving (and ive run rkdetector to check for public rootkits). Hopefully all is ok now.
Oh something else popped to mind unrelated, try using the Start - Search feature in XP. Notice the connection to sc.windows.com...M$ is spying on you! Apparently it passes your search text back to M$!
I wonder how this fits in with data protection legislation, im sure M$ should ask permission 1st!
i have the same problem port 1025 open
i forgat how to clost it is anyone gets info on how to close it then plz email me jzthug44@yahoo.com
i forgat how to clost it is anyone gets info on how to close it then plz email me jzthug44@yahoo.com
DCC uses a great range of ports. Now if this port is already occupied DCC will simply not use it.
| QUOTE (tibbar @ Jun 19 2004, 08:22 AM) |
| if network blackjack is already running on the port then i dont think that would be possible, as the port would already be in use (people were connected to tcp 1025, and telnetting to tcp 1025 was succesful, but no banner appeared). I'll try and ftp client on it to be sure and confirm that network blackjack service has not been disabled Thanks guys |
Even netcat can be bound over the same port as another listening service or whatever... Just because you have port x dedicated to app Y another app can be bound before the old one, effectively disabling the legit listening app/service/whatever.......Just something to keep in mind
port 1025 is for the taskscheduler
with login and password you can remotely schedule tasks which will be executed later. so you are easy hackable when you use a weak password.
always close this port
with login and password you can remotely schedule tasks which will be executed later. so you are easy hackable when you use a weak password.
always close this port
interesting, so when you use the "AT" command on a remote pc, it connects on port 1025 alone?
im pretty sure that 135 (137?) has to open as well as 1025 to be hacked . . . ? maybe im mis-guided.
| QUOTE (SET_coo @ Jun 20 2004, 01:25 AM) |
| im pretty sure that 135 (137?) has to open as well as 1025 to be hacked . . . ? maybe im mis-guided. |
nope
only rpc service has to be started. sure dameware doesnt work but there are appz which only connect to the scheduler and schedule the task you specify to a time you tell it.
interesting, killaloop. So in theory you could schedule telnet server to switch on etc provided the admin account has weak password.
Good to know that, i guess as 1025 and 80 were only ports forwarding, the server should have been at minimal risk, and admin account had been secured already.
Good to know that, i guess as 1025 and 80 were only ports forwarding, the server should have been at minimal risk, and admin account had been secured already.
hmm...i wasn't aware of a public version of the lsass.dll exploit working on port 1025.
if there is, then my server could have been seriously compromised using a connect back shell.
if there is, then my server could have been seriously compromised using a connect back shell.
also I see port 1025 on many lists as a lsass target (some even say the public exploits target it which is completely wrong) from the original EEYE advisory you can read this:
The susceptible LSA functionality is accessible via the LSARPC named pipe over TCP ports 139 and 445.
not sure if they gave us all the information...would suck if not because many older firewalls are vulnerable to 1025 attacks
/edit
from here
http://npotechs.org/drupal/node/view/125
"Note that in certain Windows configurations, the Active Directory
interface also listens on an ephemeral TCP port (above 1024)."
anyway no public exploit but changing the sourcecode's port would have been enough I guess.
just install the patch and make sure you got strong passes (because of scheduler) and you are done
The susceptible LSA functionality is accessible via the LSARPC named pipe over TCP ports 139 and 445.
not sure if they gave us all the information...would suck if not because many older firewalls are vulnerable to 1025 attacks
/edit
from here
http://npotechs.org/drupal/node/view/125
"Note that in certain Windows configurations, the Active Directory
interface also listens on an ephemeral TCP port (above 1024)."
anyway no public exploit but changing the sourcecode's port would have been enough I guess.
just install the patch and make sure you got strong passes (because of scheduler) and you are done
| QUOTE (tibbar @ Jun 19 2004, 08:22 AM) |
| telnetting to tcp 1025 was succesful, but no banner appeared). I'll try and ftp client on it to be sure |
an FTP server will automaticly send you some messages liek welcome etc.. if not it will ATLEAST ask for a user.. so what you could do is when telnetting try user test or something.. it should say something like "331 Password required for test."...
if course you don't need this anymore but maybe for others (future reference)..
and like Killaloop said close the port.. TaskSheduler is useless .. atleast don't think you will use it remotely anyway
Serhat
Try to connect to port 1025 through ftp, telnet, radmin, dameware, vnc etc...
If any connection succeed and ask you for a pwd or something like that, your port īs been used by a hacker for sure..
If any connection succeed and ask you for a pwd or something like that, your port īs been used by a hacker for sure..
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
