Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Network Blackjack protocol ? 4

Status
Not open for further replies.

DaiSr

Technical User
Apr 2, 2001
10
GB
Hi,
Does anyone know what program uses the TCPIP network blackjack protocol on port 1025 ?
I have a fair amount of this traffic running over my WAN at the moment.

Thanks
 
Let me guess.. you have a bunch of WIn2K Pro boxes? I've seen this port open on the WIn2K but for what, I dont know yet.

Mike S
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin
 
This might help,

One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and e3514235-4b06-11d1-ab04-00c04fc2dcd2), which is typically assigned port 1025 or 1026 during startup.
 
fortunat

that is an interesting article but i dont think it is relevant. as the Prot specifically reports that its is "network blackjack"

wybenormal - ive also got that port open and ive been trying for afew days to find out what it is.

ive used several tools, and cant seem to drop the port. My concern is that its some trojan. Ive seen posts on other forums as far back as 2000, but none, tell me what it is.

The best ive got at this stage is that ports 1024 - 65535 are generally used by ANY tcp/ip software, and what happens is the client software , simply says, "look for first port available starting from 1024", and in our case its finding 1025 ....

But what is it , i dont know?

Ive used Vision which allows you to see which applictaions are using which port. Vision reports c:\winnt\system32\MSTask.exe , well to me that can mean anything ?

I would have thought that "network blackjack" would be a clue, but iam getting nowhere?

Does anyone else have a clue?

ian [bigears]
 
Here are some notes on 1025

One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678- 1234-abcd-ef00-01234567cffb and e3514235-4b06-11d1-ab04-00c04fc2dcd2), which is typically assigned port 1025 or 1026 during startup. This value is not set in the DSProxy or System attendant (MAD) source code, so you need to map the port in the registry and then open the port on the firewall


and:

The client software (BTEQ, FastLoad, ODBC, Queryman, etc.) communicates to the Teradata Gateway using a pre-determined TCP/IP port number of 1025.

This has been the port number used by the Teradata Client software for over twenty years. On the original TOS system and today on MP-RAS it has been relatively straightforward to make sure that no other process used this port number. With the advent of Teradata for Microsoft Windows this was not so simple. 1025 is the first available port number on Windows and is given to the first requester that does not specify a particular port. In order to make sure that the Windows version of Teradata could communicate with the then existing client software which assumed 1025, the Gateway Reserve Port service was created which is tasked to be started at exactly the right time in the NT boot-up process to make sure that it got port number 1025 when it asked. This service "holds" the port until the Teradata gateway vproc is started at Teradata start-up, then "transfers" the port to the gateway. This can be seen in the NT Event log at Teradata startup.

This scheme worked reasonably well for NT4.0 and Windows 2000. However, with the advent of Windows XP, some PC's (though not all) have
some other process that manages to acquire port number 1025 before the GTWRSVTDMST service tries to acquire it. This results in the message 10048 and the not very helpful hint to try re-booting the box. (Actually re-booting works some of the time for some PCs., as I said, it's a rare condition.) Find me at
"The trouble with giving up civil rights is that you never get them back"
 
hiya,

ive been wondering about this one too - i traced it back on XP to a svchost.exe process and then proceeded to shut off one service after the other to see if the port closed but no luck. the only services i couldnt shut down were:

Remote Access Connection Manager
Remote Procedure Call (RPC)
Telephony
Windows Audio

so maybe its one of these?
 
I used a tool called fport which I got from (no I don't work for them). That traced the port back to the svchost.exe of which there were several instances running in the processes box. These can then be traced back to the registry
HKLM/Software/Microsoft/Windows NT/CurrentVersion/SVCHOST
In there you will find entries corresponding to the processes that are running. By process of elimination I found svcimg in the registry and that seemed to be the one opening the port. Blitzed it (backed up the registry first) and the port is no longer a problem and the machine still works! Hope it helps.
 
Blackjack is registered to Network Blackjack

It is associated to playing certain internet casinos allowing free or for money gambling.

I believe that it runs on 1024 and/or 1025

I was given this information from a friend that is a network manager and he apparently did some research to find out what it was and where it was coming from.
1025 is also used by jmstudio.

TO
 
Well how did network black jack get loaded then? I'm going to play around with this tomorrow. I am using SuperScan to scan 2 new w2k servers I have running at my office. I feel they are locked down pretty well but theres always something else to check into. 1025 is open on both of these w2k servers. Is it black jack? or something else? More tests to come... Good thread guys.
 


Ran fport on this w2k server, I am running SQL Database on it, fport shows 1025 as:

528 msdtc -> 1025 TCP C:\WINNT\System32\msdtc.exe


Guess the IANA port list shows whats been assigned but definitely isnt something thats the LAW.
 
Well.....Port 1025 and Blackjack.

Serveral days ago I had no listening ports and I was surfing the net looking at security sites/trojan sites (for learning purposes as I am studying security). Anyways, all is fine until I re-boot my computer andopen internet explorer. My start page had been replaced with a different one. I can't be sure which site it was (it was a black hacking web site with three letters as its name). All my history in IE are gone, and todays is replaced with yesterdays. After a scan I found a so called 'virus' in the IExplorer folder, which was un-deletable (or so it said).
My security privacy settings get reverted back to 'none' and my ZoneAlarm password is non-existant anymore, making me choose to set password again. The listening port doesn't want to be blocked, and it must be showing me on the net as I am getting many 'hits'. Also my ZoneAlarm log viewer won't hold any alerts that pop-up (maybe un-related as I installed VisualTrace for ZAlarm which may have caused probs). Anyways,

My security settings in ZAlarm reverted to 'nothing'.
ZoneAlarm won't log alerts to log viewer.
My start page re-set to a hacking site.
My history setting in IExplorer are gone (only yesterday).
I found a virus (suspicious file-TrendPc-Cill2k)in IE Folder

I have visited hacking sites and loaded many scanners, etc.
I visited 'hrvg.tk' and downloaded some utils along with many other hack sites. I presumed I would go back to my history is IE and get the start page that was swapped with mine, but history, as said above, is gone. I know it has a black start page.

Anyways, this has completely and utterly stuffed up my so called "invisibility" on the net.
 
For what it's worth. I downloaded active ports and it showed MSTask.exe opened 1025. The cute little "terminate process" option at the bottom let me select and terminate it. However, as you may have guessed it's right back in there upon reboot. I can see it's functionality with AD and imagine that everyone and their dog is tryin to get teeth into it. I keep a fairly close watch on my ports and have yet to see anyone trying to exploit it. Of course the first ones to that will be Big Brother Bill anyway. Like Saddam he swears he isn't making any (software) weapons of mass destruction. Did anyone else notice that the Slammer could only be fixed with SP3?
 
I'm getting incoming access attempts on 1025 too, also 1027.
Almost constant activity on the hardware firewall.
Doesn't appear to be getting through to the software firewall though.
According to the firewall status screen, the I.P. it's coming from is my AT&T Broadband DNS server???

No clue...
 
Here's a good site that's got info on other progs (trojans) that use port 1025:


1025 tcp blackjack network blackjack
1025 tcp FraggleRock [trojan] Fraggle Rock
1025 tcp listen listener RFS remote_file_sharing
1025 tcp md5Backdoor [trojan] md5 Backdoor
1025 tcp NetSpy [trojan] NetSpy
1025 tcp RemoteStorm [trojan] Remote Storm
1025 udp blackjack network blackjack
1025 udp RemoteStorm [trojan] Remote Storm
 
Interesting set of posts. Think I see some common threads, based on my own experience and what I'm reading here:

#1 Something in the various Windows OS grabs onto TCP port 1025 during startup.

#2 The service using 1025 depends on the OS. That would explain why everyone is tracing it back to different processes.

#3 It has nothing to do with blackjack.

I'm running Win2kPro on a stand-alone box. On my system, I discovered that it is mstask (Windows Task Scheduler) that listens on TCP 1025. I've been whittling away at unnecessary services one at a time. And Lo! when I set the Task Scheduler service to manual startup instead of automatic on system startup, then stopped the service, nothing was listening on 1025 for the first time ever.

(Note to Kymnom1 - you say you terminated the mstask process, but you don't mention whether you changed the startup type for it. Its default is to start automatically.)

Reading the other posts, it sounds like something in each of various Windows OS's is indeed grabbing 1025, but which service depends on which OS. For example, it sounds like:

- With Win2k Pro, it's mstask.exe (the Task Scheduler)
- With Win2k Server, it's msdtc.exe
- With XP, it's something using svchost.exe (and you have to trace it or look in the registry to figure out exactly what)

Anybody else get that impression? Or know differently?

Also, agree with ITGL72 about the IANA port list. This network blackjack thing gave me the willies at first, but I think now that it is a snare and a delusion. There doesn't seem to be any actual evidence of a link except the IANA registration list - and lots of legitimate programs use ports officially registered to others. (Lots of illegitamate ones, too, as sageturkey points out.)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top