trojan?

W

warrenpeace

Registered
Hey OS X'ers,

I smell something funny! I ran a port scan on my computer from the network utility and 631 and 1033 are open.

And the following from the command line:

lsof -i :1033
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
stroke 503 warren 4u inet 0x019dda6c 0t0 TCP localhost:49865->localhost:1033 (ESTABLISHED)

lsof -i :631 returns nothing...

Thoughts?

Cheers,
Warren Peace

ps. nothing enabled in the sharing, everything is firewalled.
 
I get the same ports open on mine, running 10.2.4
According to the services file, they should belong to:
631 - Internet Printing Protocol
1033 - Unlisted.

I have no services on, all ports blocked on the firewall. The following is my active processes:

[bpibook:~] bp% ps aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
bp 792 12.1 19.6 69976 25636 ?? S 1:53PM 2:30.32 /Applications/Safari.app/Contents/MacOS/Safari -psn_0_3014657
bp 821 7.4 4.6 40612 6056 ?? S 2:07PM 0:06.79 /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_3538945
bp 546 4.0 17.4 57384 22796 ?? Ss 11:21PM 8:23.10 /System/Library/CoreServices/WindowServer console
bp 561 0.1 2.1 39596 2776 ?? S 11:21PM 1:34.98 /System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer -psn_0_524289
root 73 0.0 0.0 1316 16 ?? Ss Wed10AM 0:01.90 dynamic_pager -H 40000000 -L 160000000 -S 80000000 -F /private/var/vm/swapfile
root 107 0.0 0.7 16636 928 ?? Ss Wed10AM 2:24.75 configd
root 133 0.0 0.4 15272 464 ?? Ss Wed10AM 0:01.26 /System/Library/CoreServices/SecurityServer -X
bp 173 0.0 1.1 30596 1384 ?? Ss Wed10AM 4:28.41 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Version
root 186 0.0 0.2 14992 304 ?? Ss Wed10AM 0:01.75 /sbin/autodiskmount -va
root 215 0.0 0.0 14392 44 ?? Ss Wed10AM 0:00.74 /usr/sbin/mDNSResponder
root 229 0.0 0.1 1308 76 ?? Ss Wed10AM 0:01.07 syslogd
root 248 0.0 0.0 13584 4 ?? Ss Wed10AM 0:00.03 /usr/libexec/crashreporterd
root 251 0.0 0.2 1700 212 ?? Ss Wed10AM 0:02.22 netinfod -s local
root 285 0.0 2.3 36936 3008 ?? Ss Wed10AM 0:12.07 /System/Library/CoreServices/coreservicesd -preload AEServer
root 294 0.0 0.0 1308 0 ?? Ss Wed10AM 0:00.00 inetd
root 298 0.0 0.0 14124 64 ?? Ss Wed10AM 0:00.32 cron
root 301 0.0 0.2 3268 228 ?? Ss Wed10AM 0:08.53 /usr/sbin/cupsd
root 303 0.0 0.1 15912 128 ?? Ss Wed10AM 0:00.04 /usr/sbin/smbd -D
root 320 0.0 0.9 21500 1156 ?? S Wed10AM 0:02.48 DirectoryService
bp 332 0.0 0.0 14724 4 ?? Ss Wed10AM 0:03.44 /System/Library/CoreServices/pbs
root 430 0.0 0.1 15008 144 ?? Ss 4:58PM 0:00.10 /usr/sbin/automount -f -m /Network/Servers -fstab -m /automount -static
bp 547 0.0 1.7 47316 2192 ?? Ss 11:21PM 0:09.88 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console
bp 554 0.0 0.3 14724 408 ?? Ss 11:21PM 0:03.28 /System/Library/CoreServices/pbs
bp 560 0.0 1.6 39304 2092 ?? S 11:21PM 0:14.59 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock -psn_0_393217
bp 562 0.0 5.3 64044 6924 ?? S 11:21PM 1:19.98 /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder -psn_0_655361
bp 686 0.0 0.1 14924 104 ?? S 1:08AM 0:00.14 /System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell -psn_0_1310721
root 788 0.0 0.3 14468 360 cu. Ss+ 1:53PM 0:00.15 pppd serviceid 2 plugin /System/Library/SystemConfiguration/PPPController.bundle/Contents/PlugIns/PP
root 789 0.0 1.1 17784 1408 ?? S 1:53PM 0:00.42 DCPd
root 814 0.0 0.7 15220 864 ?? Ss 1:53PM 0:00.78 /usr/sbin/lookupd
bp 818 0.0 4.5 39524 5872 ?? S 2:07PM 0:08.31 /Applications/Utilities/Network Utility.app/Contents/MacOS/Network Utility -psn_0_3407873
root 822 0.0 0.4 14048 572 std Ss 2:07PM 0:00.75 login -pf bp
bp 823 0.0 0.6 5872 840 std S 2:07PM 0:00.15 -tcsh (tcsh)
root 831 0.0 0.2 1340 296 std R+ 2:10PM 0:00.01 ps aux
root 1 0.0 0.0 1308 0 ?? Ss Wed10AM 0:00.13 /sbin/init
root 2 0.0 0.1 1844 120 ?? Ss Wed10AM 0:01.22 /sbin/mach_init
root 51 0.0 0.3 15400 380 ?? Ss Wed10AM 0:02.57 kextd
root 69 0.0 0.0 1292 28 ?? Ss Wed10AM 0:04.94 update

I'm suspect it might be related to Rendezvous.
 
Ports 631 and 1033 are not visible to the network... from netstat:


tcp4 0 0 *.22 *.* LISTEN
tcp4 0 0 127.0.0.1.631 *.* LISTEN
tcp4 0 0 127.0.0.1.1033 *.* LISTEN


They're only bound to localhost... nothing to see here... move along... :D
 
Port 631 is the web-browser based configuration tool for CUPS, which is part of the printing subsystem. Go to the address http://localhost:631 to see it in action. It's not available at all from anywhere outside the system, so don't worry about much about getting hacked on that port.

As far as port 1033, I haven't a clue.
 
I tired to read this thread but all I got was the nose that the teachers from Charlie Brown makes.

Wah wah wah wahhh.

Matthew
 
Hmm...learn something new everyday...didn't know CUPS had a server. Heh

I haven't figured out what 1033 is either, but it's been open since 10.1.something. Suppose one could block it, then see what doesn't work anymore....
 
1033 is netinfod. I would recommend strongly against disabling it; you may find that your ability to even log into your machine severely hampered. As mentioned, because it's only bound to 127.0.0.1 (localhost), it is not accessable from other systems (by default; there's certainly ways to make it serve other machines in a network).


I didn't know about CUPS either.. it's turned off now... ;)

edit: ... and now it's back on. Apparently, it's required for printing to my JetDirect printer (HP2100TN/PS)... Don't know if it's required for printing to other (USB, for instance) printers, but it wouldn't surprise me. Guess it was enabled for a reason. Imagine that... :)
 
You must log in or register to reply here.
Back
Top