Wilders Security Forums > Other Security Topics > malware problems & news > What is
Network
Blackjack??
PDA
View Full Version : What is Network Blackjack??
snapdragin
July 31st, 2002, 06:11 PM
i checked TDS-3's System Analysis--Netstat to see what ports were opening/listening etc., and i've seen this here before but didn't really know what it was since i seem to have quite a few things in Netstat listed as listening. But this time i thought i'd check it out with a google search to see exactly what this
Network
Blackjack is. It's listening on port TCP 1025 (the other port listed there to the right is 20517)
when i did a google search with just
Network
Blackjack the page wouldn't display....but when i reversed the names, alot of gambling listed sites came up, some....seemed more than just gambling. :-/
i went to the Internet Storm Centre and from what i think i am seeing, and probably not understanding, but this is looking like a trojan to me.......umm...is it?
my TDS-3, NOD32, Trojan Hunter, AdAware+, Spybot Search&Destroy are all up to date, and i do regular scans, and nothing has alerted to anything suspicious or any suspicious ports.
my firewall, Sygate Pesonal Firewall ver 5, doesn't show anything out of the ordinary...but then i am still getting use to reading the different IP's and packets. (i'm on cable and with a D-Link router/firewall....XP-Home, have XP's internal firewall disabled, and on a cable modem)
i really hope someone can tel me that is not a trojan and i have nothing to worry about. But i'd sure like to know what it is that's listening.....i have never played
BlackJack..~l~ and have not played any on-line gambling games on this pc.....or any other pc.
(oh..did a deep files search of the entire HD and nothing came up even close to anything with that name or close to it)
any enlightment would be very much appreciated. :)
MyNethingyman
July 31st, 2002, 06:55 PM
Port 1025 is often one of the first port used by the operating system for outbound connections, thus it is likely you will see outbound connections from port 1025. If you run netstat you will see something like:
[ netstat -vatn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 1.2.3.4:1025 2.3.4.5:22 ESTABLISHED
I would think that the reference to
Network
Blackjack is just the fact it also uses the port..but nothing to do with you>
what proggie came up with this
blackjack thing... TDS?
This will give you an idea of what you are seeing if you read the page at this link... you will find
Network
Blackjack there.
But you have nothing to worry about.
http://www.glocksoft.com/Reports/PortScanner.htm
AATools Port scanner detects active ports on the target machine and then it displays some kind of ad-hoc list of port assignments, some of which are registered assignments, some of which are unregistered uses, and some of which are just guesses about whether a port might be used by a Trojan.
Port Description/Possible Trojan simply shows what trojans and programs are known to commonly use a particular port. For example, a port description on port 25 shows this: SMTP - Simple Mail Transfer Protocol, RATs: Ajan, Antigen, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy. That doesn't mean that you're infected with all of those trojans! It just lets you know which trojans and programs have been known to frequent that port.
snapdragin
July 31st, 2002, 07:09 PM
hi MyNetThingyMan!
Thank you for your reply!
yes, i used TDS-3's Netstat.....
i have quite a few things there showing as listening.....but none of them seem to be anything out of the norm (but then i am still quite the newbie when it comes to anything
network-wise....have only had the D-link and XP-Home since March/02 and still trying to figure out what belongs to what and why) ~l~
i looked a li'l deeper for some information on this and from one of my searches a forum where they were discussing
Network
BlackJack, someone there posted a link about that port.
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/ntwrkstn/reskit/port_ntw.asp
you'd have to scroll down just about to the bottom of that page before it gives reference to that name.
-------------------------------
"Table C.2 Port Assignments for Registered Ports"
1025/tcp, udp
blackjack
Network
blackjack
------------------------------
i am still not sure what
blackjack really is all about...but it looks like it is not a trojan ~whew~ :)
but i sure wish they'd use another less suspicious name for it! LOL
*fixed my url
MyNethingyman
July 31st, 2002, 07:16 PM
"but it looks like it is not a trojan "
Yes it is.. :) but you do not have it.
snapdragin
July 31st, 2002, 07:22 PM
quoting: MyNethingyman link=board=30;threadid=2736;start=0#18511 date=1028156131]....For example, a port description on port 25 shows this: SMTP - Simple Mail Transfer Protocol, RATs: Ajan, Antigen, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy. That doesn't mean that you're infected with all of those trojans! It just lets you know which trojans and programs have been known to frequent that port.
i have seen a similar description somewhere while i was trying to learn more about the different ports-------and i think i *GULPED* when i seen all those nasties listed......of course....full scan of everything!!
thank you again for putting my mind at ease.... :D
snapdragin
July 31st, 2002, 07:23 PM
quoting: MyNethingyman link=board=30;threadid=2736;start=0#18514 date=1028157398]
"but it looks like it is not a trojan "
Yes it is.. :) but you do not have it.
no no.....you WERE putting my mind at ease LOL!
don't stop now!
Technodrome
July 31st, 2002, 07:25 PM
There was a networked
blackjack game(also known as 21) that was available and connected on port 1025. I Think port 1025 was offically assigned to
network
blackjack(back in old days). This game associates with that port. Go to dos (start-->run---> cmd) and type 'netstat -an', look for anything with port 1025( or use TDS and Active Ports from http://www.ntutility.com/freeware.html) ;). Now close another program and look again. If after closing all visible programs the port 1025 stays open, hit control-alt-delete once and exit everything but explorer. If that port is still open, you may have a trojan horse running...
There are several trojan horses(that I can recall rite now) using port 1025, NetSpy, Maverick's Matrix, and RemoteStorm...
Technodrome
snapdragin
July 31st, 2002, 07:38 PM
hi
Technodrome :)
i did the netstat -an and it only showed one instance of port 1025:
Proto Local Address Foreign Address State
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
(didn't list the other ports there since most refer to my pc)
i don't have the ctl-alt-del on this XP-Home pc.....but if i go to Task Manager....well....darn, i could be hour's there shutting things down and hoping i'm not disconnecting myself. i am using XP-Antispy3, and i manually shut down Creative's iM tuner as soon as i start the pc....but those other svchost.exe's that run with XP, just spin me in circles trying to figure out what they belong to.
i'll go for anything that looks like it isn't necessary first....then i'll post back, but it may be awhile. LOL!
thank you! :)
Technodrome
July 31st, 2002, 09:05 PM
quoting:
snapdragin link=board=30;threadid=2736;start=0#18520 date=1028158712]
i don't have the ctl-alt-del on this XP-Home pc......
ctl-alt-del-----> win task manager----->processes---->end process . but i bet you already knew this ;) .
Technodrome
snapdragin
July 31st, 2002, 11:48 PM
This is what TDS-3 showed Port 1025 as;
The Active Port program showed the svchost.exe's Process ID (PID) as 1000 (that is a great li'l program
Technodrome!)
and after trying each svchost.exe in the TaskManager, i finally found the one that shut down Port 1025. (WOW...it sure is taking alot of memory)
snapdragin
July 31st, 2002, 11:58 PM
but it still didn't tell me what the svchost.exe was exactly and with it using that much memory...i wanted to find out.
LOL!! THIS was a learning experience!
i went into the Advanced System Information panel, but the Process ID for each running service wasn't listed (oversight on M$ there because it sure would have made it easier)....so i copied a before and after. These 14 services stopped running when i shut down Port 1025 and the svchost.exe that's listening on it:
*WZCSVC svchost.ex e -k netsvcs Stopped Auto
*TrkWks svchost.ex e -k netsvcs Stopped Auto
*TermServic e svchost.ex e -k netsvcs Stopped Manual
*srservice svchost.ex e -k netsvcs Stopped Auto
*ShellHWDet ection svchost.ex e -k netsvcs Stopped Auto
*seclogon svchost.ex e -k netsvcs Stopped Auto
*Schedule svchost.ex e -k netsvcs Stopped Auto
*Netman svchost.ex e -k netsvcs Stopped Manual
*lanmanwork station svchost.ex e -k netsvcs Stopped Auto
*lanmanserv er svchost.ex e -k netsvcs Stopped Auto
*Dhcp svchost.ex e -k netsvcs Stopped Auto
*CryptSvc svchost.ex e -k netsvcs Stopped Auto
*Browser svchost.ex e -k netsvcs Stopped Auto
*AudioSrv svchost.ex e -k netsvcs Stopped Auto
-------------
if i have a trojan...i think i need it! ;)
i don't, do i....
but why would all these services have to be listening on a port?
snapdragin
August 1st, 2002, 12:00 AM
quoting:
Technodrome link=board=30;threadid=2736;start=0#18528 date=1028163932]......ctl-alt-del-----> win task manager----->processes---->end process . but i bet you already knew this ;) .
Technodrome
LOL!....of course i knew that!! (i, just forgot) ::)
Rickster
August 1st, 2002, 02:58 AM
My XP is lean and always has 18 to 20 system32/svchost ports listening. Others, like Proxo, listens on 8080, which if you look up is a port for “proxy [but also] RAT’s: Brown Orifice, RemoteConChubo, RingZero." As Techno said, some ports are named for the Trojans known to use them, or previously assigned services. When you see 0.0.0.0:Port# using 0.0.0.0. the service is dormant but only listening, that’s all. One is Port 135 – RPC, Remote Procedure Location Service using 0.0.0.0.: to some unassigned port. Some are loop backs to other system32 services to communicate with each other. Others listen for automatic updates via your security programs, or MS updates.
You can go nuts trying to figure out everything using svchost that listens, but don't let the "handle" given the port name worry you, it's not always related. Considering what you’re using, you’re well protected. Use TDS Net Stat frequently, but focus on the Established TCP and Remote TCP Connection tabs primarily. When off-line, mime are always blank there, unless my e-mail and AV program are checking for mail – anything else would get my undivided attention. As you saw when you shutdown svchost on 1025 – see all the relevant services that went down with it. It’s safe to leave it be. I bet if you scan each of those ports, they'll show closed or stealthed too.
Technodrome
August 1st, 2002, 10:58 AM
quoting:
snapdragin link=board=30;threadid=2736;start=0#18554 date=1028174307]
but it still didn't tell me what the svchost.exe was exactly and with it using that much memory...i wanted to find out.
LOL!! THIS was a learning experience!
i went into the Advanced System Information panel, but the Process ID for each running service wasn't listed (oversight on M$ there because it sure would have made it easier)....so i copied a before and after. These 14 services stopped running when i shut down Port 1025 and the svchost.exe that's listening on it:
*WZCSVC svchost.ex e -k netsvcs Stopped Auto
*TrkWks svchost.ex e -k netsvcs Stopped Auto
*TermServic e svchost.ex e -k netsvcs Stopped Manual
*srservice svchost.ex e -k netsvcs Stopped Auto
*ShellHWDet ection svchost.ex e -k netsvcs Stopped Auto
*seclogon svchost.ex e -k netsvcs Stopped Auto
*Schedule svchost.ex e -k netsvcs Stopped Auto
*Netman svchost.ex e -k netsvcs Stopped Manual
*lanmanwork station svchost.ex e -k netsvcs Stopped Auto
*lanmanserv er svchost.ex e -k netsvcs Stopped Auto
*Dhcp svchost.ex e -k netsvcs Stopped Auto
*CryptSvc svchost.ex e -k netsvcs Stopped Auto
*Browser svchost.ex e -k netsvcs Stopped Auto
*AudioSrv svchost.ex e -k netsvcs Stopped Auto
-------------
if i have a trojan...i think i need it! ;)
i don't, do i....
but why would all these services have to be listening on a port?
You've got no Trojan Horse on your system!
If you want to know more about those services including svchost.exe go to this site:
http://www.blackviper.com/
Technodrome
snapdragin
August 2nd, 2002, 06:44 AM
:)
MyNethingieMan,
Technodrome, and
Rickster.....thank you very much for your help and guidance!
MNM---i looked at the Advanced Administrative Tools (especially that Process Monitor) at G-Lock Software...WOW! Even though it's a bit up there in price, given it's an 11 in 1 untilities makes it very tempting just to d/l the trial version and see what it comes up with. Have you tried this program yourself?
Rickster---yup, you are right! most of the ports that show up in Netstat are with the 0.0.0.0. and just listening (usually only one that shows Established is icq when i have it on).....but you have up to 80 listening all at once?? woooo! mine only shows 3-4 listening. (not as worried now! thanks!) :D
Technodrome---thank you again for your help, and i feel confident i don't have a trojan on either pc now. The "Active Port" program is really sweet! Do you know if they have an earlier version of that, that would work on Win98se or WinME....or would the one listed for XP there, also work on earlier OS?
thanks again everyone!
Technodrome
August 2nd, 2002, 03:58 PM
quoting:
snapdragin link=board=30;threadid=2736;start=0#18717 date=1028285065]
Technodrome---thank you again for your help, and i feel confident i don't have a trojan on either pc now. The "Active Port" program is really sweet! Do you know if they have an earlier version of that, that would work on Win98se or WinME....or would the one listed for XP there, also work on earlier OS?
thanks again everyone!
NP
snapdragin! ;)
Active Ports will only work with nt/2000/xp systems!
Technodrome
vBulletin v3.5.3, Copyright ©2000-2007, Jelsoft Enterprises Ltd.