# MS spying through Office v.X?



## jeb1138 (Oct 13, 2001)

I randomly did a port scan on myself today w/ Network Utility and noticed two extra ports open on my machine that I didn't recognize.  I shut everything down and they were gone.  I closed and opened Word and Excel (from the latest Office v.X beta) several times to check and sure enough, they were each opening up a port on my computer.  It seemed to be messing up iTunes streaming as well, but I'm not sure about that.

Does anyone know if this is a standard thing for beta software so they can get feedback or something, or is this the long and prying arm of M$ or what?

Also, does anyone know of a way to shut the ports off or block them?  Or would that be 'ungrateful' to M$ for providing a beta in the first place...


----------



## cvisors (Oct 13, 2001)

Hi,
Firstly.
Which ports are they?

Secondly,
what you could do is use a firewalling application
such as brick house to close access to these ports
from the outside world, you can get brick house 
from:
http://personalpages.tds.net/~brian_hill/brickhouse.html

tell me if this helps.

Also for port scanning,I would recommend using
nmap it is a command line util, which you will
need to compile, and can be got from:
www.insecure.org

Regards,
Benjamin


----------



## jeb1138 (Oct 13, 2001)

Thanks for the info cvisors.  nmap seems pretty cool and I'll check out brick house.

The ports actually change every time I start up Word, Excel, etc. but they always seem to be 3 thousand-something (e.g. 3300)

So is this something normal and does it mean that MS is recording info from me?

Thanks.


----------



## cvisors (Oct 13, 2001)

This seems quite odd that an application like
office opens these ports, I cant see why, are you
using the mail client at all?

What you would need to do is monitor network 
traffic on your machine, an application line
ettercap (its on version tracker) will 
help you there, what it is, is a network sniffer,
I haven't used it before so I am not 100% sure
how well it works.

One other thing you could try and do is when 
the ports are open, in your terminal, type
telnet localhost 3000 
where 3000 is the open port, and see if you get 
anything there, (you probably won't)

Benjamin


----------



## jeb1138 (Oct 13, 2001)

I tried telnet and got this:

jeb1138% telnet localhost 3712
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

As would be expected, any other port not detected by the port scan gave this:

jeb1138% telnet localhost 3012
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

I'll try to get ettercap to work, it's having problems at the moment.  I'm not using Entourage at all, if that's what you mean by 'the mail client'.  I think this is a little strange too.  What's MS doing?


----------



## jdog (Oct 13, 2001)

wow, if your right there could be some serious stuff going on.  Does this happen with the Word eval?

-jdog


----------



## LordOphidian (Oct 13, 2001)

Ok, here is another way you can get some info about what's going on.  Open the terminal and run 
	
	



```
$ lsof | grep 'tcp' | less
```
 and look for word and see which ports its actually connecting to and where they are pointing if they are connected to anything.  Basicaly this way you can make sure its word or excel that is binding to those ports and maybe get some more info about what its doing.


----------



## jeb1138 (Oct 14, 2001)

Ophidian - when execute
$ lsof | grep 'tcp' | less
in Terminal I get only this:

jeb1138% $ lsof | grep 'tcp' | less
$: Command not found.
(END) 

What am I doing wrong?

Also, anybody have any good experience with some sort of sniffer in X?  I installed ettercap, but the installation finished leaving no trace of a program to use, at least not that I can see.  Help?

For every Office v.X program I open - Excel, Word, PowerPoint - another port opens.  And when I close them the ports close.

Can anyone else who has the Office v.X beta run a port scan on themselves and help verify whether this is a universal thing?


----------



## jeb1138 (Oct 14, 2001)

jdog - it doesn't happen with 'Word X Test Drive'.  Just Word from Office v.X


----------



## simX (Oct 14, 2001)

The $ is a prompt symbol.  So everything after that you would type.  Just type "lsof|grep 'tcp'|less" without the double-quotes, and it should work.


----------



## blb (Oct 14, 2001)

The next time you see one of these ports open, run the following:

sudo tcpdump -i en0 port 3000

replacing 3000 with the port it's chosen for that particular time.  This will watch that port (and only that port, so you don't have to see all the other stuff) and dump everything seen to the Terminal where you run tcpdump.


----------



## cvisors (Oct 14, 2001)

I may try and find a copy of the beta, so I can have a look into this, it is quite odd.

This will only realy become an issue though if the final version that MS ship in november, does this, I wonder could it be something to do with .NET.

BTW which version of Office X is it.

Regards 
Benjamin


----------



## Solaris (Oct 14, 2001)

I was reading a review in macworld uk and apparently there is something that always run (even with no office apps open) called Office Notifications. It sounds like it handles your email and instant message alerts. Maybe these ports have something to do with that??


----------



## yogel (Oct 14, 2001)

As much as I'd love to believe that MS was doing nasty stuff to us, i have multiple confirmations from all over MS that this is not the case. At times, they have these things for remote debugging - and that sounds very suspiciously like the debugging port.

It could also be auto update. But i'd put my money on remote debugging.

Andrew


----------



## theolein (Oct 15, 2001)

This is interesting. A good packet sniffer is tcpflow. It is more powerful than tcpdump and will monitor all traffic between you and a foreign host. It is available as a package. I don't have the url handy right now but you can find it on the web easily enough. It will also as far as I know look for specific characters in a packet.

If MS is using Word and Excel to open ports it means they are there for some reason. I would NOT put it past MS to do this. They have done similar things before. A firewall will not help you here as a firewall blocks connections from the outside but normally allows all outgoing connections. If I were you I would block these ports (although that would be difficult if they are using different ones each time) and definitely monitor what is going out. My guess is that MS is trying to gather information illegally from users. I must also state that while what they might be doing is illegal, I'm not to sure if your posessing this beta software is legal.


----------



## sinebubble (Oct 15, 2001)

Yep, I'm seeing the same thing. Word triggers port 2222/udp and 3XXX/tcp. No snoop on Mac OS X? Hm...


----------



## Zim (Oct 15, 2001)

Actually with built-in ipfw this should not be difficult to block in a brute-force fashion by blocking all traffic to/from Microsoft...ie..

${IPFW} add 00603 deny log all from any to 207.46.0.0/16 out via en0

this blocks you surfing to them as well, but you could make finer grain rules, and/or specifially add a rule beforehand to allow port 80 access.


Mike


----------



## soellman (Oct 15, 2001)

it's called network licensing enforcement.. try and run copies of office on two different machines with the same serial, and it will figure it out pretty quickly. Remember quarkxpress? same deal, except it used appletalk broadcasts instead of straight tcp/ip..

although it's easier to get around it this time, just some simple ipfw rules and you're golden.


----------



## jeb1138 (Oct 15, 2001)

Thanks for the info so far all
I got tcpflow (http://www.circlemud.org/~jelson/software/tcpflow/) and it's a cool app.  I've left it running but it hasn't detected anything going through these ports, not even when Word &etc. start up.
It would be interesting to see if anything was communicated during the first run. (i.e. soellman's theory) If anybody is thinking of installing the latest Office v.X, if you'd start tcpflow before you run any of the programs for the first time and post the results it would be appreciated.
I'll try leaving tcpflow running for a while and see if anything happens.  If yogel is right it might send something if it crashes etc.
cvisors - it's the same version that people on carracho &etc have been mistakenly (I hope) calling the "GM".
Solaris - "Microsoft Database Daemon" does indeed run all the time in the background but it isn't opening up any ports and doesn't seem to be communicating anything, as far as I can see.

To use ipfw we'd have to find out what IP it tries to communicate with first, right?  Is there any way just to shut off a range of ports?  (3000-4000)


----------



## cvisors (Oct 16, 2001)

I havent had much luck getting it as of yet, not
too much of an issue  

I am having a look at tcp flow, and looking at 
putting together a bunch of scripts, that will
make setting up ipfw a little easer, its based on
some ipfw scripts that I put together for some
FreeBSD machines I work on.

Benjamin


----------



## rharder (Oct 16, 2001)

The ports could also be for internal your-computer-to-your-computer communication only just like the half-dozen ports that are open by default for RPC and what-not. Nothing nefarious there.

-Rob


----------



## petewaugh (Oct 16, 2001)

Soellman is right, we've tried to run multiple copies of Office v.X on our lan using the same serial number and it lets you know pdq that more than one instance of that serial number is not allowed.


----------



## theolein (Oct 16, 2001)

I hope soellman is right. However (I'm not a Unix guru) I had a problem once on a Linux box after Netscape6 beta trashed my Xserver and I was trying to fix it. I came across the commuication used by Xfs and X86free. It used the Unix port for communictaion and I was wondering if one specifically needs to use another port for process-to-process communication? One could surely just use sockets over the Unix port.

And although I am definitely paranoid, I STILL wouldn't put it past MS to try and glean user information illegally. That said, it makes sense that MS uses those ports to check licenses.


----------



## jeb1138 (Oct 16, 2001)

petewaugh - what do you mean by "it lets you know pdq"?  Can you post a screenshot of what it says?  One would think if it does that for a lan, they would also do it (or at least try to do it) across the internet.  I mean, there must be hundreds of people w/ the same serial number right now who got it one way or another.
As for internal communication - aren't there better/easier ways of doing that?  Also, besides whatever MS is doing with this, could it in any way open up security holes?  I mean, if I telnet into my computer on that port from anywhere on the net I get:

Trying...
Connected to [address]
Escape character is '^]'.

Looking forward to your scripts cvisors!


----------



## soellman (Oct 16, 2001)

yea, the way it works (I'm guessing) is that when any office program opens up, it listens on a socket with a predefined port number.  Probably the only thing that you can do with that connection is request the serial number of the running app (unless you conspiracy theorists are right .

When the app launches, it makes a broadcast on the local network to that port (or slowly scans the network for that port) and asks what serials are being run. If it finds a match, it shuts down the local app. So the way to get around this using ipfw would be to block any outgoing requests to check the network for like serials. I still haven't done any explicit homework on the subject so I don't know what ports they are..


----------



## soellman (Oct 17, 2001)

sudo ipfw add 0 deny udp from any to any 2222
sudo ipfw add 0 deny tcp from any to any 3464

that should do it..


----------



## Soapvox (Oct 18, 2001)

are  those ports  the ones for  sure or does it change ports each time you launch?


----------



## soellman (Oct 18, 2001)

I only did limited testing with word, but those ports seem to be consistent..


----------



## WoLF (Oct 18, 2001)

microsoft checks the serials that you use on office v.X

i ran into that problem when i was on my computer opening entourage, and my dad already had it open on his machine. it said the serial is in use by his name.. I got kinda pissed that Office v.X tracks serials.. i think its just over the network. but i dont know


----------



## soellman (Oct 18, 2001)

> _Originally posted by WoLF _
> *microsoft checks the serials that you use on office v.X
> 
> i ran into that problem when i was on my computer opening entourage, and my dad already had it open on his machine. it said the serial is in use by his name.. I got kinda pissed that Office v.X tracks serials.. i think its just over the network. but i dont know *


yes, that's what this thread is about. and don't get pissed because you're playing around with unreleased software. besides, if you wrote a software package that you sold for hundreds of dollars, wouldn't you do something similar?


----------



## theolein (Oct 18, 2001)

http://www.zdnet.com/zdnn/stories/news/0,4586,5098483,00.html?chkpt=zdhpnews01

Ms is doing exactly with OfficeXP and IE5 on Windows what I warned of. These progs send a memory image (I -hopefully- assume of only OfficeXP and IE5's data plus serial nimber and product key) when they crash. PC users are as mad as hell about it, and I would be too if I used their junk(notwithstanding that quite a few here are using OfficeX illlegally). So, it would actually be a good idea to check the MS products and what it is they exactly check. Checking SN's over the network is old hat and can be quite easily blocked, but it would be interresting to try and get these things to crash and see if they send some stuff over the net when they do.


----------



## soellman (Oct 18, 2001)

well this is just sort of standard crash reporting stuff (mozilla and omniweb both do this), but of course this MS we're talking about so people expect the worst..

if they don't allow you to turn it off it will be pretty upsetting, as when you purchase software you don't really purchase the guarantee of bug fixes, so why should you be required to help the company to fix the bugs?


----------



## jeb1138 (Oct 19, 2001)

On the version I have, at least, the tcp ports are different every time you launch an Office v.X component.  Can you use ipfw to block a range of ports?  They're always in the 3000 range.


----------



## wyvern (Oct 26, 2001)

I could be wrong, but this is unix, folks. So I would think that you could just use ipfw (or the GUI interface BrickHouse) to block 3*** and it would substitute any number for the ***'s.


----------



## jokell82 (Oct 26, 2001)

Ok, everyone chill for a second.  This is not M$ trying to get into your computer.  Taken from MacNN:



> Following our note this morning on Microsoft's new anti-piracy measures in Office v. X, Matthew Whitaker offered some details:
> 
> "The Office v.X for Mac os X security is based on TCP/IP. The ports being used are in the 3000 range. If you run a port scan on the machine that is running Office you will see a port in the 3xxx range is open. This port is only open if the program is running. After packet sniffing I was able to determine that there is no communication to a central database. It is in fact then only a broadcast on the local area network."


There ya go.  This has actually been documented for quite some time now, and has appeared in the past three beta's at least (the one's I've used, it could have been there before that as well).  I would expect this in the GM release as well.  Basically just make sure you have a different SN from everyone on your network and you will be fine (how you acquire that SN will be up to you).


----------



## genghiscohen (Oct 30, 2001)

And if you can't get a whole bunch of CD keys, the earlier instructions on configuring your firewall can be very helpful.
Here's poor ol' Word v.X beta trying to find out if I have another  copy of Office v.X on my system:


----------

