MS spying through Office v.X?

jeb1138

Carioca
I randomly did a port scan on myself today w/ Network Utility and noticed two extra ports open on my machine that I didn't recognize. I shut everything down and they were gone. I closed and opened Word and Excel (from the latest Office v.X beta) several times to check and sure enough, they were each opening up a port on my computer. It seemed to be messing up iTunes streaming as well, but I'm not sure about that.

Does anyone know if this is a standard thing for beta software so they can get feedback or something, or is this the long and prying arm of M$ or what?

Also, does anyone know of a way to shut the ports off or block them? Or would that be 'ungrateful' to M$ for providing a beta in the first place...
 

jeb1138

Carioca
Thanks for the info cvisors. nmap seems pretty cool and I'll check out brick house.

The ports actually change every time I start up Word, Excel, etc. but they always seem to be 3 thousand-something (e.g. 3300)

So is this something normal and does it mean that MS is recording info from me?

Thanks.
 

cvisors

Registered
This seems quite odd that an application like
office opens these ports, I cant see why, are you
using the mail client at all?

What you would need to do is monitor network
traffic on your machine, an application line
ettercap (its on version tracker) will
help you there, what it is, is a network sniffer,
I haven't used it before so I am not 100% sure
how well it works.

One other thing you could try and do is when
the ports are open, in your terminal, type
telnet localhost 3000
where 3000 is the open port, and see if you get
anything there, (you probably won't)

Benjamin
 

jeb1138

Carioca
I tried telnet and got this:

jeb1138% telnet localhost 3712
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

As would be expected, any other port not detected by the port scan gave this:

jeb1138% telnet localhost 3012
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

I'll try to get ettercap to work, it's having problems at the moment. I'm not using Entourage at all, if that's what you mean by 'the mail client'. I think this is a little strange too. What's MS doing?
 

jdog

Not a Moderator
wow, if your right there could be some serious stuff going on. Does this happen with the Word eval?

-jdog
 

LordOphidian

Adjutant On-Line
Ok, here is another way you can get some info about what's going on. Open the terminal and run
Code:
$ lsof | grep 'tcp' | less
and look for word and see which ports its actually connecting to and where they are pointing if they are connected to anything. Basicaly this way you can make sure its word or excel that is binding to those ports and maybe get some more info about what its doing.
 

jeb1138

Carioca
Ophidian - when execute
$ lsof | grep 'tcp' | less
in Terminal I get only this:

jeb1138% $ lsof | grep 'tcp' | less
$: Command not found.
(END)

What am I doing wrong?

Also, anybody have any good experience with some sort of sniffer in X? I installed ettercap, but the installation finished leaving no trace of a program to use, at least not that I can see. Help?

For every Office v.X program I open - Excel, Word, PowerPoint - another port opens. And when I close them the ports close.

Can anyone else who has the Office v.X beta run a port scan on themselves and help verify whether this is a universal thing?
 

jeb1138

Carioca
jdog - it doesn't happen with 'Word X Test Drive'. Just Word from Office v.X
 

simX

Unofficial Mac Genius
The $ is a prompt symbol. So everything after that you would type. Just type "lsof|grep 'tcp'|less" without the double-quotes, and it should work.
 

blb

`'
The next time you see one of these ports open, run the following:

sudo tcpdump -i en0 port 3000

replacing 3000 with the port it's chosen for that particular time. This will watch that port (and only that port, so you don't have to see all the other stuff) and dump everything seen to the Terminal where you run tcpdump.
 

cvisors

Registered
I may try and find a copy of the beta, so I can have a look into this, it is quite odd.

This will only realy become an issue though if the final version that MS ship in november, does this, I wonder could it be something to do with .NET.

BTW which version of Office X is it.

Regards
Benjamin
 

Solaris

Official something...
I was reading a review in macworld uk and apparently there is something that always run (even with no office apps open) called Office Notifications. It sounds like it handles your email and instant message alerts. Maybe these ports have something to do with that??
 

yogel

Registered
As much as I'd love to believe that MS was doing nasty stuff to us, i have multiple confirmations from all over MS that this is not the case. At times, they have these things for remote debugging - and that sounds very suspiciously like the debugging port.

It could also be auto update. But i'd put my money on remote debugging.

Andrew
 

theolein

Registered
This is interesting. A good packet sniffer is tcpflow. It is more powerful than tcpdump and will monitor all traffic between you and a foreign host. It is available as a package. I don't have the url handy right now but you can find it on the web easily enough. It will also as far as I know look for specific characters in a packet.

If MS is using Word and Excel to open ports it means they are there for some reason. I would NOT put it past MS to do this. They have done similar things before. A firewall will not help you here as a firewall blocks connections from the outside but normally allows all outgoing connections. If I were you I would block these ports (although that would be difficult if they are using different ones each time) and definitely monitor what is going out. My guess is that MS is trying to gather information illegally from users. I must also state that while what they might be doing is illegal, I'm not to sure if your posessing this beta software is legal.
 

Zim

Registered
Actually with built-in ipfw this should not be difficult to block in a brute-force fashion by blocking all traffic to/from Microsoft...ie..

${IPFW} add 00603 deny log all from any to 207.46.0.0/16 out via en0

this blocks you surfing to them as well, but you could make finer grain rules, and/or specifially add a rule beforehand to allow port 80 access.


Mike
 

soellman

nice face!
it's called network licensing enforcement.. try and run copies of office on two different machines with the same serial, and it will figure it out pretty quickly. Remember quarkxpress? same deal, except it used appletalk broadcasts instead of straight tcp/ip..

although it's easier to get around it this time, just some simple ipfw rules and you're golden.
 

jeb1138

Carioca
Thanks for the info so far all
I got tcpflow (http://www.circlemud.org/~jelson/software/tcpflow/) and it's a cool app. I've left it running but it hasn't detected anything going through these ports, not even when Word &etc. start up.
It would be interesting to see if anything was communicated during the first run. (i.e. soellman's theory) If anybody is thinking of installing the latest Office v.X, if you'd start tcpflow before you run any of the programs for the first time and post the results it would be appreciated.
I'll try leaving tcpflow running for a while and see if anything happens. If yogel is right it might send something if it crashes etc.
cvisors - it's the same version that people on carracho &etc have been mistakenly (I hope) calling the "GM".
Solaris - "Microsoft Database Daemon" does indeed run all the time in the background but it isn't opening up any ports and doesn't seem to be communicating anything, as far as I can see.

To use ipfw we'd have to find out what IP it tries to communicate with first, right? Is there any way just to shut off a range of ports? (3000-4000)
 

cvisors

Registered
I havent had much luck getting it as of yet, not
too much of an issue :)

I am having a look at tcp flow, and looking at
putting together a bunch of scripts, that will
make setting up ipfw a little easer, its based on
some ipfw scripts that I put together for some
FreeBSD machines I work on.

Benjamin
 
Top