2. 技术人生
    3. 关于1025端口和network blackjack服务

    关于1025端口和network blackjack服务

    技术2022-05-11  46

    关于1025端口和network blackjack服务

    问:我用X-scan扫机器,出现了: 1025/tcp - "network blackjack"服务可能运行于该端口.

    偶的回答:

    首先我不清楚你是说的谁的机子,你扫别人还是自己

    。。

    这里假设自己

    用tcpview,and netstat -vbna并没有发现我的机子上开有1025端口(2003番茄花园基本上打过最新的补丁)

    关于network blackjack服务,我也头一次注意到。到google上看啦下,竟然有片2002年的文档!

    通过仔细反复研究大致明白意思

    在微软的文档中也提到network blackjack这个服务注册tcp/udp的1025端口。可是没有提供哪些程序使用的network blackjack服务。

    1025/tcp, udp blackjack Network blackjack.

    有至少14个服务在使用1025端口通过svchost.exe

    服务列表:

    *WZCSVC svchost.ex e -k netsvcs Stopped Auto*TrkWks svchost.ex e -k netsvcs Stopped Auto*TermServic e svchost.ex e -k netsvcs Stopped Manual*srservice svchost.ex e -k netsvcs Stopped Auto*ShellHWDet ection svchost.ex e -k netsvcs Stopped Auto*seclogon svchost.ex e -k netsvcs Stopped Auto*Schedule svchost.ex e -k netsvcs Stopped Auto*Netman svchost.ex e -k netsvcs Stopped Manual *lanmanwork station svchost.ex e -k netsvcs Stopped Auto*lanmanserv er svchost.ex e -k netsvcs Stopped Auto*Dhcp svchost.ex e -k netsvcs Stopped Auto*CryptSvc svchost.ex e -k netsvcs Stopped Auto*Browser svchost.ex e -k netsvcs Stopped Auto*AudioSrv svchost.ex e -k netsvcs Stopped Auto-------------

    当然,也不排除是其他木马程序利用这些服务打造后门.比如:netspy.

    还有一些列外的就是如:一些提供商封锁了25端口,许多主机提供商使用这个端口用于SMTP,Net2phone网络电话使用1025端口用于VOIP服务.()

    正常的情况下: 认为这些只在nt/xp/2000系统中出现.

     

    我不知道是否已经阐述完所有的意思,关于svchost.exe可以查看下边的网站

    http://www.blackviper.com/ (我是没有打开的,说,!)

    附带信息:

    端口1025是分配给network blackjack的。然而,这个端口也用于其它服务:由于一些提供商封锁了25端口,许多主机提供商使用这个端口用于SMTP;Net2phone网络电话使用1025端口用于VOIP服务;RPC(远程过程调用)和活动目录也使用1025端口。因此,要确认你的网络没有使用上述服务。由于有一个RPC安全漏洞以这个端口为攻击目标,因此,你的1025端口也可能被用于进行攻击活动。

     

    其他回答 :

    1025端口以后Windows动态分配的监听端口(listen port)。匿名接入该端口后,就可获取Windows网络的服务器信息与用户信息等。可匿名获取用户名与服务器信息就意味着入侵者可以轻松地获得攻击服务器的信息。以前人们知道可以通过SMB(139、445端口)获得同样的信息,而能够通过其他端口获取这些信息的Windows配置还是第一次发现。更何况如果能够猜出口令,不用匿名而是伪装成正式用户进行连接的话,就有可能执行任意命令。

     

    +++++++++++++++++++++++++++++++++++++++

    附件,http://www.wilderssecurity.com/archive/index.php/t-2736.html

     

    ---------------------------------------------------------------------

    Wilders Security Forums > Other Security Topics > malware problems & news > What is Network Blackjack??
    PDA

    View Full Version : What is Network Blackjack??

    snapdragin July 31st, 2002, 06:11 PM i checked TDS-3's System Analysis--Netstat to see what ports were opening/listening etc., and i've seen this here before but didn't really know what it was since i seem to have quite a few things in Netstat listed as listening. But this time i thought i'd check it out with a google search to see exactly what this Network Blackjack is. It's listening on port TCP 1025 (the other port listed there to the right is 20517) when i did a google search with just Network Blackjack the page wouldn't display....but when i reversed the names, alot of gambling listed sites came up, some....seemed more than just gambling. :-/ i went to the Internet Storm Centre and from what i think i am seeing, and probably not understanding, but this is looking like a trojan to me.......umm...is it? my TDS-3, NOD32, Trojan Hunter, AdAware+, Spybot Search&Destroy are all up to date, and i do regular scans, and nothing has alerted to anything suspicious or any suspicious ports. my firewall, Sygate Pesonal Firewall ver 5, doesn't show anything out of the ordinary...but then i am still getting use to reading the different IP's and packets. (i'm on cable and with a D-Link router/firewall....XP-Home, have XP's internal firewall disabled, and on a cable modem) i really hope someone can tel me that is not a trojan and i have nothing to worry about. But i'd sure like to know what it is that's listening.....i have never played BlackJack..~l~ and have not played any on-line gambling games on this pc.....or any other pc. (oh..did a deep files search of the entire HD and nothing came up even close to anything with that name or close to it) any enlightment would be very much appreciated. :)
    MyNethingyman July 31st, 2002, 06:55 PM Port 1025 is often one of the first port used by the operating system for outbound connections, thus it is likely you will see outbound connections from port 1025. If you run netstat you will see something like: [ netstat -vatn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 1.2.3.4:1025 2.3.4.5:22 ESTABLISHED I would think that the reference to Network Blackjack is just the fact it also uses the port..but nothing to do with you> what proggie came up with this blackjack thing... TDS? This will give you an idea of what you are seeing if you read the page at this link... you will find Network Blackjack there. But you have nothing to worry about. http://www.glocksoft.com/Reports/PortScanner.htm AATools Port scanner detects active ports on the target machine and then it displays some kind of ad-hoc list of port assignments, some of which are registered assignments, some of which are unregistered uses, and some of which are just guesses about whether a port might be used by a Trojan. Port Description/Possible Trojan simply shows what trojans and programs are known to commonly use a particular port. For example, a port description on port 25 shows this: SMTP - Simple Mail Transfer Protocol, RATs: Ajan, Antigen, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy. That doesn't mean that you're infected with all of those trojans! It just lets you know which trojans and programs have been known to frequent that port.
    snapdragin July 31st, 2002, 07:09 PM hi MyNetThingyMan! Thank you for your reply! yes, i used TDS-3's Netstat..... i have quite a few things there showing as listening.....but none of them seem to be anything out of the norm (but then i am still quite the newbie when it comes to anything network-wise....have only had the D-link and XP-Home since March/02 and still trying to figure out what belongs to what and why) ~l~ i looked a li'l deeper for some information on this and from one of my searches a forum where they were discussing Network BlackJack, someone there posted a link about that port. http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/ntwrkstn/reskit/port_ntw.asp you'd have to scroll down just about to the bottom of that page before it gives reference to that name. ------------------------------- "Table C.2 Port Assignments for Registered Ports" 1025/tcp, udp blackjack Network blackjack ------------------------------ i am still not sure what blackjack really is all about...but it looks like it is not a trojan ~whew~ :) but i sure wish they'd use another less suspicious name for it! LOL *fixed my url
    MyNethingyman July 31st, 2002, 07:16 PM "but it looks like it is not a trojan " Yes it is.. :) but you do not have it.
    snapdragin July 31st, 2002, 07:22 PM quoting: MyNethingyman link=board=30;threadid=2736;start=0#18511 date=1028156131]....For example, a port description on port 25 shows this: SMTP - Simple Mail Transfer Protocol, RATs: Ajan, Antigen, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy. That doesn't mean that you're infected with all of those trojans! It just lets you know which trojans and programs have been known to frequent that port. i have seen a similar description somewhere while i was trying to learn more about the different ports-------and i think i *GULPED* when i seen all those nasties listed......of course....full scan of everything!! thank you again for putting my mind at ease.... :D
    snapdragin July 31st, 2002, 07:23 PM quoting: MyNethingyman link=board=30;threadid=2736;start=0#18514 date=1028157398] "but it looks like it is not a trojan " Yes it is.. :) but you do not have it. no no.....you WERE putting my mind at ease LOL! don't stop now!
    Technodrome July 31st, 2002, 07:25 PM There was a networked blackjack game(also known as 21) that was available and connected on port 1025. I Think port 1025 was offically assigned to network blackjack(back in old days). This game associates with that port. Go to dos (start-->run---> cmd) and type 'netstat -an', look for anything with port 1025( or use TDS and Active Ports from http://www.ntutility.com/freeware.html) ;). Now close another program and look again. If after closing all visible programs the port 1025 stays open, hit control-alt-delete once and exit everything but explorer. If that port is still open, you may have a trojan horse running... There are several trojan horses(that I can recall rite now) using port 1025, NetSpy, Maverick's Matrix, and RemoteStorm... Technodrome
    snapdragin July 31st, 2002, 07:38 PM hi Technodrome :) i did the netstat -an and it only showed one instance of port 1025: Proto Local Address Foreign Address State TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING (didn't list the other ports there since most refer to my pc) i don't have the ctl-alt-del on this XP-Home pc.....but if i go to Task Manager....well....darn, i could be hour's there shutting things down and hoping i'm not disconnecting myself. i am using XP-Antispy3, and i manually shut down Creative's iM tuner as soon as i start the pc....but those other svchost.exe's that run with XP, just spin me in circles trying to figure out what they belong to. i'll go for anything that looks like it isn't necessary first....then i'll post back, but it may be awhile. LOL! thank you! :)
    Technodrome July 31st, 2002, 09:05 PM quoting: snapdragin link=board=30;threadid=2736;start=0#18520 date=1028158712] i don't have the ctl-alt-del on this XP-Home pc...... ctl-alt-del-----> win task manager----->processes---->end process . but i bet you already knew this ;) . Technodrome
    snapdragin July 31st, 2002, 11:48 PM This is what TDS-3 showed Port 1025 as; The Active Port program showed the svchost.exe's Process ID (PID) as 1000 (that is a great li'l program Technodrome!) and after trying each svchost.exe in the TaskManager, i finally found the one that shut down Port 1025. (WOW...it sure is taking alot of memory)
    snapdragin July 31st, 2002, 11:58 PM but it still didn't tell me what the svchost.exe was exactly and with it using that much memory...i wanted to find out. LOL!! THIS was a learning experience! i went into the Advanced System Information panel, but the Process ID for each running service wasn't listed (oversight on M$ there because it sure would have made it easier)....so i copied a before and after. These 14 services stopped running when i shut down Port 1025 and the svchost.exe that's listening on it: *WZCSVC svchost.ex e -k netsvcs Stopped Auto *TrkWks svchost.ex e -k netsvcs Stopped Auto *TermServic e svchost.ex e -k netsvcs Stopped Manual *srservice svchost.ex e -k netsvcs Stopped Auto *ShellHWDet ection svchost.ex e -k netsvcs Stopped Auto *seclogon svchost.ex e -k netsvcs Stopped Auto *Schedule svchost.ex e -k netsvcs Stopped Auto *Netman svchost.ex e -k netsvcs Stopped Manual *lanmanwork station svchost.ex e -k netsvcs Stopped Auto *lanmanserv er svchost.ex e -k netsvcs Stopped Auto *Dhcp svchost.ex e -k netsvcs Stopped Auto *CryptSvc svchost.ex e -k netsvcs Stopped Auto *Browser svchost.ex e -k netsvcs Stopped Auto *AudioSrv svchost.ex e -k netsvcs Stopped Auto ------------- if i have a trojan...i think i need it! ;) i don't, do i.... but why would all these services have to be listening on a port?
    snapdragin August 1st, 2002, 12:00 AM quoting: Technodrome link=board=30;threadid=2736;start=0#18528 date=1028163932]......ctl-alt-del-----> win task manager----->processes---->end process . but i bet you already knew this ;) . Technodrome LOL!....of course i knew that!! (i, just forgot) ::)
    Rickster August 1st, 2002, 02:58 AM My XP is lean and always has 18 to 20 system32/svchost ports listening. Others, like Proxo, listens on 8080, which if you look up is a port for “proxy [but also] RAT’s: Brown Orifice, RemoteConChubo, RingZero." As Techno said, some ports are named for the Trojans known to use them, or previously assigned services. When you see 0.0.0.0:Port# using 0.0.0.0. the service is dormant but only listening, that’s all. One is Port 135 – RPC, Remote Procedure Location Service using 0.0.0.0.: to some unassigned port. Some are loop backs to other system32 services to communicate with each other. Others listen for automatic updates via your security programs, or MS updates. You can go nuts trying to figure out everything using svchost that listens, but don't let the "handle" given the port name worry you, it's not always related. Considering what you’re using, you’re well protected. Use TDS Net Stat frequently, but focus on the Established TCP and Remote TCP Connection tabs primarily. When off-line, mime are always blank there, unless my e-mail and AV program are checking for mail – anything else would get my undivided attention. As you saw when you shutdown svchost on 1025 – see all the relevant services that went down with it. It’s safe to leave it be. I bet if you scan each of those ports, they'll show closed or stealthed too.
    Technodrome August 1st, 2002, 10:58 AM quoting: snapdragin link=board=30;threadid=2736;start=0#18554 date=1028174307] but it still didn't tell me what the svchost.exe was exactly and with it using that much memory...i wanted to find out. LOL!! THIS was a learning experience! i went into the Advanced System Information panel, but the Process ID for each running service wasn't listed (oversight on M$ there because it sure would have made it easier)....so i copied a before and after. These 14 services stopped running when i shut down Port 1025 and the svchost.exe that's listening on it: *WZCSVC svchost.ex e -k netsvcs Stopped Auto *TrkWks svchost.ex e -k netsvcs Stopped Auto *TermServic e svchost.ex e -k netsvcs Stopped Manual *srservice svchost.ex e -k netsvcs Stopped Auto *ShellHWDet ection svchost.ex e -k netsvcs Stopped Auto *seclogon svchost.ex e -k netsvcs Stopped Auto *Schedule svchost.ex e -k netsvcs Stopped Auto *Netman svchost.ex e -k netsvcs Stopped Manual *lanmanwork station svchost.ex e -k netsvcs Stopped Auto *lanmanserv er svchost.ex e -k netsvcs Stopped Auto *Dhcp svchost.ex e -k netsvcs Stopped Auto *CryptSvc svchost.ex e -k netsvcs Stopped Auto *Browser svchost.ex e -k netsvcs Stopped Auto *AudioSrv svchost.ex e -k netsvcs Stopped Auto ------------- if i have a trojan...i think i need it! ;) i don't, do i.... but why would all these services have to be listening on a port? You've got no Trojan Horse on your system! If you want to know more about those services including svchost.exe go to this site: http://www.blackviper.com/ Technodrome
    snapdragin August 2nd, 2002, 06:44 AM :) MyNethingieMan, Technodrome, and Rickster.....thank you very much for your help and guidance! MNM---i looked at the Advanced Administrative Tools (especially that Process Monitor) at G-Lock Software...WOW! Even though it's a bit up there in price, given it's an 11 in 1 untilities makes it very tempting just to d/l the trial version and see what it comes up with. Have you tried this program yourself? Rickster---yup, you are right! most of the ports that show up in Netstat are with the 0.0.0.0. and just listening (usually only one that shows Established is icq when i have it on).....but you have up to 80 listening all at once?? woooo! mine only shows 3-4 listening. (not as worried now! thanks!) :D Technodrome---thank you again for your help, and i feel confident i don't have a trojan on either pc now. The "Active Port" program is really sweet! Do you know if they have an earlier version of that, that would work on Win98se or WinME....or would the one listed for XP there, also work on earlier OS? thanks again everyone!
    Technodrome August 2nd, 2002, 03:58 PM quoting: snapdragin link=board=30;threadid=2736;start=0#18717 date=1028285065] Technodrome---thank you again for your help, and i feel confident i don't have a trojan on either pc now. The "Active Port" program is really sweet! Do you know if they have an earlier version of that, that would work on Win98se or WinME....or would the one listed for XP there, also work on earlier OS? thanks again everyone! NP snapdragin! ;) Active Ports will only work with nt/2000/xp systems! Technodrome
    vBulletin v3.5.3, Copyright ©2000-2007, Jelsoft Enterprises Ltd.

    专利

    最新回复(0)