Port Authority Edition – Internet Vulnerability Profiling
by Steve Gibson,  Gibson Research Corporation.





Goto Port 1024
Probe Port 1025
Enter Port: 0-65535
Goto Port 1026



Port Authority Database

Port 1025

Name: 
blackjack

Purpose: 
network blackjack

Description: 
Microsoft operating systems tend to allocate one or more unsuspected, publicly exposed services (probably DCOM, but who knows) among the first handful of ports immediately above the end of the service port range (1024+).

Related Ports: 
1024, 1026, 1027, 1028, 1029, 1030




Background and Additional Information:

The most distressing aspect of this, is that these service ports are wide open to the external Internet. If Microsoft wants to allow DCOM services and clients operating within a single machine to inter-operate, that's fine. But in that case the DCOM service ports should be "locally bound" so that they are not wide open and flapping in the Internet breeze. This is trivial to do, but Microsoft doesn't bother. Or, if there might be some reason to have DCOM used within a local area network, DCOM traffic could be generated with packets having their TTL (time to live) set down to one or two. This would allow DCOM packets complete local freedom, but they would expire immediately after crossing one or two router hops. The point is, there are many things Microsoft could easily do if they had any true concern for, or understanding of, Internet security.

Who knows what known or unknown, discovered or yet to be discovered vulnerabilities already exist those exposed servers and services? This is PRECISELY the situation which hit end users who didn't realize they were running a personal version of Microsoft's IIS web server when the Code Red and Nimda worms hit them and installed backdoor Trojans in their systems. And it's IDENTICAL to the situation when the SQL Slammer worm ripped across the Internet and tens of thousands of innocent end users discovered, to their total surprise, that some other software (Here's an off-site link to SQL-installing applications.) had silently installed Microsoft's insecure and now exploited SQL server into their machines, and that server had silently opened their ports 1433 and 1434 to the entire Internet.

If you are reading this page because our port analysis has revealed that you have open ports lying between 1024 and 1030, it would certainly be in your best interests to configure your personal firewall to block incoming connection requests (TCP SYN packets) to those low-numbered ports.

Unfortunately, since Windows initially initiates outgoing connections from this same low-numbered port range (as the first ports it uses immediately after booting), you may need to be careful with the configuration of your firewall rules. Otherwise you may find that the first several outbound connection attempts made by Windows will fail because returning traffic has been blocked at your firewall. However, any good stateful personal firewall, such as Zone Alarm and probably others, ought to block these low-numbered ports automatically. And, of course, placing any network behind a NAT router provides extremely good hardware firewall protection for your system(s).

Trojan Sightings: Fraggle Rock, md5 Backdoor, NetSpy, Remote Storm

The entire contents of this page is copyright © 2008 by Gibson Research Corporation.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page