[hercules-390] TCP port 3505 is popular for a card reader

Discussion:

[hercules-390] TCP port 3505 is popular for a card reader - Any other programs using it?

hhbell370@att.net [hercules-390]

2017-04-03 19:37:20 UTC

I have a customer who for weeks has enjoyed the myDOSVS gui I sent him. Then a couple of days ago I get an email that the startup procedure has failed because something has connected to the card reader port 3505 and won't let go. It's not my program doing this and I have not googled anything that panned out to an obvious answer to the problem. Is anyone aware of other windows programs that might be out there grabbing port 3505? I see in the list of TCP ports that there is something called ccmcomm but google as I have I can't find out what it is or does. Thanks in advance for any hints.

Regards

Buddy Bell

Dennis Boone drb@msu.edu [hercules-390]

2017-04-03 20:14:23 UTC

Permalink

Post by ***@att.net [hercules-390]
I have a customer who for weeks has enjoyed the myDOSVS gui I sent
him. Then a couple of days ago I get an email that the startup
procedure has failed because something has connected to the card
reader port 3505 and won't let go. It's not my program doing this
and I have not googled anything that panned out to an obvious answer
to the problem. Is anyone aware of other windows programs that might
be out there grabbing port 3505? I see in the list of TCP ports that
there is something called ccmcomm but google as I have I can't find
out what it is or does. Thanks in advance for any hints.

The IANA listing for that port includes an email address in a domain
that has no servers. That's probably an old commercial software package
that doesn't exist any more.

The internet also mentions a trojan using that port.

But the real cause is probably either a leftover hercules listener, or a
port scan from the internet.

De

Ivan Warren ivan@vmfacility.fr [hercules-390]

2017-04-03 20:30:38 UTC

Permalink

Post by Dennis Boone ***@msu.edu [hercules-390]

The IANA listing for that port includes an email address in a domain
that has no servers. That's probably an old commercial software package
that doesn't exist any more.
The internet also mentions a trojan using that port.
But the real cause is probably either a leftover hercules listener, or a
port scan from the internet.

I'm assuming this is under windows.

What does netstat -anb (as an admin) say ?

Be aware that any port above 1024 is never guaranteed to be free. It
could be grabbed by an outbound TCP socket by automatic binding for example.

--Ivan

[Non-text portions of this message have been removed]

'John P. Hartmann' jphartmann@gmail.com [hercules-390]

2017-04-03 20:47:19 UTC

Permalink

Ivan, on most UNIXen one can specify min and max for ephemeral ports to
ensure that most of the well-known ports are not being used for outgoing
connexions. Hasn't Windows something similar?

Post by Ivan Warren ***@vmfacility.fr [hercules-390]

Post by Dennis Boone ***@msu.edu [hercules-390]

The IANA listing for that port includes an email address in a domain
that has no servers. That's probably an old commercial software package
that doesn't exist any more.
The internet also mentions a trojan using that port.
But the real cause is probably either a leftover hercules listener, or a
port scan from the internet.

I'm assuming this is under windows.
What does netstat -anb (as an admin) say ?
Be aware that any port above 1024 is never guaranteed to be free. It
could be grabbed by an outbound TCP socket by automatic binding for example.
--Ivan
[Non-text portions of this message have been removed]

------------------------------------

------------------------------------

Community email addresses:
Post message: hercules-***@yahoogroups.com
Subscribe: hercules-390-***@yahoogroups.com
Unsubscribe: hercules-390-***@yahoogroups.com
List owner: hercules-390-***@yahoogroups.com

Files and archives at:
http://groups.yahoo.com/group/hercules-390

Get the latest version of Hercules from:
http://www.hercules-390.org

------------------------------------

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/hercules-390/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/hercules-390/join
(Yahoo! ID required)

<*> To change settings via email:
hercules-390-***@yahoogroups.com
hercules-390-***@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
hercules-390-***@yahoogroups.com

<*> Your use of Yahoo Groups is subject to:
https://info.yahoo.com/legal/us/yahoo/utos/terms/

Ivan Warren ivan@vmfacility.fr [hercules-390]

2017-04-03 21:14:06 UTC

Permalink

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
Ivan, on most UNIXen one can specify min and max for ephemeral ports to
ensure that most of the well-known ports are not being used for outgoing
connexions. Hasn't Windows something similar?

Good point John !

I hadn't thought of that. But there probably is... somewhere... deep in
the registry (or via netsh ?).

--Ivan

[Non-text portions of this message have been removed]

dave.g4ugm@gmail.com [hercules-390]

2017-04-03 21:20:29 UTC

Permalink

-----Original Message-----
Sent: 03 April 2017 22:14
Subject: Re: [hercules-390] TCP port 3505 is popular for a card reader -

Any

other programs using it?

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
Ivan, on most UNIXen one can specify min and max for ephemeral ports
to ensure that most of the well-known ports are not being used for
outgoing connexions. Hasn't Windows something similar?

Good point John !
I hadn't thought of that. But there probably is... somewhere... deep in

the

registry (or via netsh ?).
--Ivan

Try this article:-

https://support.microsoft.com/en-gb/help/929851/the-default-dynamic-port-ran
ge-for-tcp-ip-has-changed-in-windows-vista-and-in-windows-server-2008

Dave

[Non-text portions of this message have been removed]
------------------------------------
------------------------------------
http://groups.yahoo.com/group/hercules-390
http://www.hercules-390.org
------------------------------------
Yahoo Groups Links

hoes.maarten@gmail.com [hercules-390]

2017-04-13 10:24:12 UTC

Permalink

Hi,

Well maybe I'm wildly mistaken here (and please ignore the message if so), but from reading these past responses it appears to me that some of the respondents have things slightly mixed up, and are confusing one thing with the other :

1.)
The OP was referencing the fixed listen ports that programs/daemons/services on the 'server' side listen on for incoming connections. If you want a program to listen on a specific port for incoming connections, it needs to be free and available and not in use for listening by another program already.

2.)
Some of the responders are talking about the random/dynamic/ephemeral ports that are created on the 'client' side for outgoing connections. These get assigned randomly as needed from the entire available port range, so if port 3505 is already in use for outgoing connections then another free port from the entire range gets selected.

While these are connected, they are not the same : If I understand things correctly one can have both a program/daemon/service like Hercules listening on port 3505 for incoming connections, and have still use port 3505 for outgoing connections. They are two different pools.

The original problem to me seems to be that another program is already listening on fixed port 3505 for incoming connections, so that Hercules (card reader) cannot use it anymore, and not that the OP has run out of the entire free range of ports for outgoing client connections. A quick Google on 'program port 3505' gets some hits for 'trojans/malware' that by default listen on this socket. If this is indeed the case, the solution would be to use an anti-virus program to remove the trojan that is keeping the socket in use, which would once more free it up for use by Hercules.

- Maarten

'John P. Hartmann' jphartmann@gmail.com [hercules-390]

2017-04-13 10:58:34 UTC

Permalink

Maarten,

bind() fails with EADDRINUSE, long before listen() is set up for the
port.

Perhaps you got confused by the quintuple that defines a TCP session.

Post by ***@gmail.com [hercules-390]
Hi,
Well maybe I'm wildly mistaken here (and please ignore the message if
so), but from reading these past responses it appears to me that some of
the respondents have things slightly mixed up, and are confusing one
1.)
The OP was referencing the fixed listen ports that
programs/daemons/services on the 'server' side listen on for incoming
connections. If you want a program to listen on a specific port for
incoming connections, it needs to be free and available and not in use
for listening by another program already.
2.)
Some of the responders are talking about the random/dynamic/ephemeral
ports that are created on the 'client' side for outgoing connections.
These get assigned randomly as needed from the entire available port
range, so if port 3505 is already in use for outgoing connections then
another free port from the entire range gets selected.
While these are connected, they are not the same : If I understand
things correctly one can have both a program/daemon/service like
Hercules listening on port 3505 for incoming connections, and have still
use port 3505 for outgoing connections. They are two different pools.
The original problem to me seems to be that another program is already
listening on fixed port 3505 for incoming connections, so that Hercules
(card reader) cannot use it anymore, and not that the OP has run out of
the entire free range of ports for outgoing client connections. A quick
Google on 'program port 3505' gets some hits for 'trojans/malware' that
by default listen on this socket. If this is indeed the case, the
solution would be to use an anti-virus program to remove the trojan that
is keeping the socket in use, which would once more free it up for use
by Hercules.
- Maarten

Maarten Hoes hoes.maarten@gmail.com [hercules-390]

2017-04-13 11:10:07 UTC

Permalink

Hi,

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
Maarten,
bind() fails with EADDRINUSE, long before listen() is set up for the
port.
Perhaps you got confused by the quintuple that defines a TCP session.
Perhaps I have gotten confused. It's been a while since I last took a real

look at the workings of TCP.
;)

I have to agree with you that (even though I'm not a developer) when the
TCP port is already in use, that (most likely, again, I'm no dev) it's
'bind()' that fails with 'EADDRINUSE'. I guess the point I was trying to
make was that the most likely cause for the port being in use, is that
'malware/trojan/virus' is listening on that port preventing it's use by
Hercules, and not that the OP has run out of dynamic/ephemeral ports to
assign.

I'll crawl back under my rock now.

- Maarten

'John P. Hartmann' jphartmann@gmail.com [hercules-390]

2017-04-13 11:17:57 UTC

Permalink

Maarten,

If your system is a Windows system, I should tend to agree with you that
it is likely full of vira and trojans.

Mine isn't (any of above) and the only reason a port would be randomly
in use would be its assignment to an epehemeral connexion.

Hi,
On Thu, Apr 13, 2017 at 12:58 PM, 'John P. Hartmann'
__
Maarten,
bind() fails with EADDRINUSE, long before listen() is set up for the
port.
Perhaps you got confused by the quintuple that defines a TCP session.
Perhaps I have gotten confused. It's been a while since I last took a
real look at the workings of TCP.
;)
I have to agree with you that (even though I'm not a developer) when the
TCP port is already in use, that (most likely, again, I'm no dev) it's
'bind()' that fails with 'EADDRINUSE'. I guess the point I was trying to
make was that the most likely cause for the port being in use, is that
'malware/trojan/virus' is listening on that port preventing it's use by
Hercules, and not that the OP has run out of dynamic/ephemeral ports to
assign.
I'll crawl back under my rock now.
- Maarten

Maarten Hoes hoes.maarten@gmail.com [hercules-390]

2017-04-13 12:05:59 UTC

Permalink

Hi,

Well although the OP (who does indeed appears to be running Windows, as he
mentions "other windows programs") hasn't responded himself yet, what
triggered me in the original post was this :

" something has connected to the card reader port 3505 and won't let go "

Although the "won't let go" part was not elaborated upon, I feel free to
assume that the OP has tried things like a reboot, and immediately
afterwards tried to start Hercules, only to discover the port was (again)
in use. If this is a correct assumption (but we all know what happens when
we assume), that makes it likely that another program is listening on the
port (although of course not impossible that the same dynamic/ephemeral
port got selected again for an outgoing connection).

Anyway, it appears were not going to agree on the "what's more likely to
happen" part here, so perhaps we should just "agree to disagree".
;)

- Maarten

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
Maarten,
If your system is a Windows system, I should tend to agree with you that
it is likely full of vira and trojans.
Mine isn't (any of above) and the only reason a port would be randomly
in use would be its assignment to an epehemeral connexion.

'\'Fish\' (David B. Trout)' david.b.trout@gmail.com [hercules-390]

2017-04-13 18:59:37 UTC

Permalink

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
Maarten,
If your system is a Windows system, I should tend to agree
with you that it is likely full of vira and trojans.

Fuck you, John. Your implication that the system some people use is likely infested with malware simply because that system happens to be Windows is not only untrue but also quite insulting. Your haughty and snobbish attitude and continued disrespect towards Windows user is not appreciated.

--
"Fish" (David B. Trout)
Software Development Laboratories
http://www.softdevlabs.com
mail: ***@softdevlabs.com

'John P. Hartmann' jphartmann@gmail.com [hercules-390]

2017-04-13 19:18:30 UTC

Permalink

Please take your sexual preference elsewhere.

On 04/13/2017 08:59 PM, ''Fish' (David B. Trout)'

Post by '\'Fish\' (David B. Trout)' ***@gmail.com [hercules-390]
Fuck you, John.

'\'Fish\' (David B. Trout)' david.b.trout@gmail.com [hercules-390]

2017-04-13 20:28:30 UTC

Permalink

This post might be inappropriate. Click to display it.

Dave McGuire Mcguire@neurotica.com [hercules-390]

2017-04-13 20:58:05 UTC

Permalink

On 04/13/2017 02:59 PM, ''Fish' (David B. Trout)'

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
If your system is a Windows system, I should tend to agree
with you that it is likely full of vira and trojans.

Fuck you, John. Your implication that the system some people use is
likely infested with malware simply because that system happens to be
Windows is not only untrue but also quite insulting.

Forgive me for jumping in...but in the networks I've run, granted
only a few thousand machines, but still, I've found that it very nearly
always is true. Not just "likely" or "frequently", but very nearly always.

-Dave

--
Dave McGuire, AK4HZ
New Kensington, PA

'\'Fish\' (David B. Trout)' david.b.trout@gmail.com [hercules-390]

2017-04-13 21:29:38 UTC

Permalink

Post by Dave McGuire ***@neurotica.com [hercules-390]
Forgive me for jumping in...but in the networks I've run,
granted only a few thousand machines, but still, I've found
that it very nearly always is true. Not just "likely" or
"frequently", but very nearly always.

It depends on the skill level of the user, not which operating system said user has chosen to use.

Windows appeals to unskilled users (which encompasses the vast majority of computer users in general) leading to a much greater market share than other much less user friendly operating systems requiring much greater skill to safely use. Thus it should hardly be surprising that *generally speaking* the chance of an average Windows user being infected with malware is much greater than the average non-Windows user.

But the typical Hercules user (and Maarten specifically) does not fit the definition of the average unskilled Windows user. Therefore for you or John to summarily presume without any other evidence that a given person is likely infected with malware SIMPLY BECAUSE they chose the use Windows as their primary operating system as opposed to some other operating system is wholly baseless and without merit.

Some of us (perhaps *most* of us) on this list using Windows are quite able to use it *without* becoming infested with malware.

To imply otherwise is an insult and an attempt to start a flame war.

Not cool.

--
"Fish" (David B. Trout)
Software Development Laboratories
http://www.softdevlabs.com
mail: ***@softdevlabs.com

Dave McGuire Mcguire@neurotica.com [hercules-390]

2017-04-13 21:33:53 UTC

Permalink

On 04/13/2017 05:29 PM, ''Fish' (David B. Trout)'

Post by '\'Fish\' (David B. Trout)' ***@gmail.com [hercules-390]

It depends on the skill level of the user, not which operating system
said user has chosen to use.
Windows appeals to unskilled users (which encompasses the vast majority
of computer users in general) leading to a much greater market share
than other much less user friendly operating systems requiring much
greater skill to safely use. Thus it should hardly be surprising that
*generally speaking* the chance of an average Windows user being
infected with malware is much greater than the average non-Windows user.
But the typical Hercules user (and Maarten specifically) does not fit
the definition of the average unskilled Windows user. Therefore for you
or John to summarily presume without any other evidence that a given
person is likely infected with malware SIMPLY BECAUSE they chose the use
Windows as their primary operating system as opposed to some other
operating system is wholly baseless and without merit.
Some of us (perhaps *most* of us) on this list using Windows are quite
able to use it *without* becoming infested with malware.
To imply otherwise is an insult and an attempt to start a flame war.
Not cool.

While I cannot speak for anyone else, I myself am neither trying to
be uncool nor trying to start a flame war, I'm merely stating an
observation. But I don't allow Windows on any of my networks anymore
for a reason.

-Dave

--
Dave McGuire, AK4HZ
New Kensington, PA

'\'Fish\' (David B. Trout)' david.b.trout@gmail.com [hercules-390]

2017-04-13 22:00:02 UTC

Permalink

Post by Dave McGuire ***@neurotica.com [hercules-390]
While I cannot speak for anyone else, I myself am neither
trying to be uncool nor trying to start a flame war, I'm
merely stating an observation.

An observation which advances unjust prejudice towards Windows users.

What is true of a given population is not necessarily true for a given member of said population. You should know that Dave, just as John should. To imply otherwise -- whether intentional or not -- is like trying to say if a person is black they're likely a thug or have spent time in prison.

Post by Dave McGuire ***@neurotica.com [hercules-390]
But I don't allow Windows on any of my networks anymore
for a reason.

And your reason is quite valid. Generally speaking a random population Windows users *are* more likely to be infected with malware.

But to ASSUME that just because a person happens to be a member of said population of random Windows users thus means said person shares the same attributes as that of the overall population is prejudice, plain and simple.

And I won't abide by it.

--
"Fish" (David B. Trout)
Software Development Laboratories
http://www.softdevlabs.com
mail: ***@softdevlabs.com

dave.g4ugm@gmail.com [hercules-390]

2017-04-13 22:09:33 UTC

Permalink

This post might be inappropriate. Click to display it.

Buddy Bell hhbell370@att.net [hercules-390]

2017-04-13 14:03:46 UTC

Permalink

From the OP:

Turned out to be my fault. My GUI uses java and connecting to the card
reader I did:

Socket sock = new Socket("127.0.0.1",3505);
OutputStream os = sock.getOutputStream();

Then I wrote (with os.write(buf);) the card file to the reader.

When I went to close I only did.

os.close();

Never explicitly using:

sock.close();

When I added that last close to my code it worked fine. What I don't
understand is I have sold hundreds of my GUI without that last close
statement in there and nobody else ever had an issue with it. It is
possible the customer was using an older version of Java that behaved
differently. I seem to remember seeing documentation than when you close
the outputstream the underlying socket also gets closed but that may not
have always true in prior Java versions.

Thanks for all the input.

Buddy Bell

Hi,
On Thu, Apr 13, 2017 at 12:58 PM, 'John P. Hartmann'
Maarten,
bind() fails with EADDRINUSE, long before listen() is set up for the
port.
Perhaps you got confused by the quintuple that defines a TCP session.
Perhaps I have gotten confused. It's been a while since I last took a
real look at the workings of TCP.
;)
I have to agree with you that (even though I'm not a developer) when
the TCP port is already in use, that (most likely, again, I'm no dev)
it's 'bind()' that fails with 'EADDRINUSE'. I guess the point I was
trying to make was that the most likely cause for the port being in
use, is that 'malware/trojan/virus' is listening on that port
preventing it's use by Hercules, and not that the OP has run out of
dynamic/ephemeral ports to assign.
I'll crawl back under my rock now.
- Maarten

Ivan Warren ivan@vmfacility.fr [hercules-390]

2017-04-13 11:14:53 UTC

Permalink

Marteen,

If a local port has been automatically selected for an outgoing TCP
connection (to identify the local side) and you try to bind() WITH
IN_ADDRANY or the same address used for the already established outgoing
connection using that same, the bind() call will return -1 with errno
set to EADDRINUSE. the SOCKREUSEADDR socket option only allows
overriding ports bound to sockets in the transient TIME_WAIT[1] state.

--Ivan

[1] The TIME_WAIT state is a transient state that lasts usually around
30 seconds (but it's usually configurable). The purpose of the TIME_WAIT
state is to prevent the TCP stack from responding to old packets
arriving late after the session has been closed.

[Non-text portions of this message have been removed]

Maarten Hoes hoes.maarten@gmail.com [hercules-390]

2017-04-13 11:23:05 UTC

Permalink

Hi,

Post by Ivan Warren ***@vmfacility.fr [hercules-390]

Marteen,
If a local port has been automatically selected for an outgoing TCP
connection (to identify the local side) and you try to bind() WITH
IN_ADDRANY or the same address used for the already established outgoing
connection using that same, the bind() call will return -1 with errno
set to EADDRINUSE. the SOCKREUSEADDR socket option only allows
overriding ports bound to sockets in the transient TIME_WAIT[1] state.
--Ivan
[1] The TIME_WAIT state is a transient state that lasts usually around
30 seconds (but it's usually configurable). The purpose of the TIME_WAIT
state is to prevent the TCP stack from responding to old packets
arriving late after the session has been closed.

Thanks for correcting me on that part. I guess it's been too long since I
took a good look at the workings of TCP. I still feel though (see previous
response) that it's more likely another program (malware/trojan/another
legitimate program/daemon/service) is listening on that port, than that the
port is in use for an outgoing connection.

- Maarten

Ivan Warren ivan@vmfacility.fr [hercules-390]

2017-04-13 11:18:08 UTC

Permalink

John,

Curious.. I always thought a socket was defined by a "quadruple" (local
address, local port, remote address, remote port).. What is the 5th guy ?

Thanks,

--Ivan

[Non-text portions of this message have been removed]

'John P. Hartmann' jphartmann@gmail.com [hercules-390]

2017-04-13 11:18:55 UTC

Permalink

TCP vs UDP.

Post by Ivan Warren ***@vmfacility.fr [hercules-390]
John,
Curious.. I always thought a socket was defined by a "quadruple" (local
address, local port, remote address, remote port).. What is the 5th guy ?

Ivan Warren ivan@vmfacility.fr [hercules-390]

2017-04-13 11:39:58 UTC

Permalink

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
TCP vs UDP.

John,

Well... You did say "TCP" session, and there is no such thing as an UDP
session (UDP is a connection-less protocol) !

Never mind ;)

--Ivan

[Non-text portions of this message have been removed]

'John P. Hartmann' jphartmann@gmail.com [hercules-390]

2017-04-13 12:06:53 UTC

Permalink

Not correct. Ask any firewall that supports VPN.

Post by Ivan Warren ***@vmfacility.fr [hercules-390]
John,
Well... You did say "TCP" session, and there is no such thing as an UDP
session (UDP is a connection-less protocol) !
Never mind ;)

Maarten Hoes hoes.maarten@gmail.com [hercules-390]

2017-04-13 12:13:50 UTC

Permalink

Hrm.

Not sure about this one. Although I can fully understand that a firewall
would try to maintain some sort of internal 'state' in order to correctly
allow/block traffic (or applications having state/sessions at the
*application* level), I always thought that at the protocol level itself
UDP does not maintain a session ?

- Maarten

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
Not correct. Ask any firewall that supports VPN.

Post by Ivan Warren ***@vmfacility.fr [hercules-390]
John,
Well... You did say "TCP" session, and there is no such thing as an UDP
session (UDP is a connection-less protocol) !
Never mind ;)

------------------------------------
------------------------------------
http://groups.yahoo.com/group/hercules-390
http://www.hercules-390.org
------------------------------------
Yahoo Groups Links

'John P. Hartmann' jphartmann@gmail.com [hercules-390]

2017-04-13 12:19:11 UTC

Permalink

You can use sendto() on a UDP soclket to send to anyone, or you can bind
the socket and use send(). In that sense, it is a session, though it is
maintained in userland.

A firewall recognizes the UDP packet that starts a request (for some
protocols) and allows a response to travel in for some fixed time.

Post by Maarten Hoes ***@gmail.com [hercules-390]
Hrm.
Not sure about this one. Although I can fully understand that a firewall
would try to maintain some sort of internal 'state' in order to
correctly allow/block traffic (or applications having state/sessions at
the *application* level), I always thought that at the protocol level
itself UDP does not maintain a session ?
- Maarten

Maarten Hoes hoes.maarten@gmail.com [hercules-390]

2017-04-13 12:30:37 UTC

Permalink

Hi,

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
You can use sendto() on a UDP soclket to send to anyone, or you can bind
the socket and use send(). In that sense, it is a session, though it is
maintained in userland.

So, would I then be correct to assume that the UDP protocol itself does not
maintain a 'session' for you, but the same effect may be reached at the
application level (and the need to do so at the application level is
because it is not done at the UDP protocol level) ?

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
A firewall recognizes the UDP packet that starts a request (for some
protocols) and allows a response to travel in for some fixed time.
So the reason the firewall has to do this (using internal logic and/or

analysis of the protocol running on top of UDP) is because it's not
included in the UDP protocol ?

- Maarten

Harold Grovesteen h.grovsteen@tx.rr.com [hercules-390]

2017-04-13 19:13:52 UTC

Permalink

Hi,
On Thu, Apr 13, 2017 at 2:19 PM, 'John P. Hartmann'
You can use sendto() on a UDP soclket to send to anyone, or you can bind
the socket and use send(). In that sense, it is a session, though it is
maintained in userland.
So, would I then be correct to assume that the UDP protocol itself
does not maintain a 'session' for you, but the same effect may be
reached at the application level (and the need to do so at the
application level is because it is not done at the UDP protocol
level) ?
A firewall recognizes the UDP packet that starts a request (for some
protocols) and allows a response to travel in for some fixed time.
So the reason the firewall has to do this (using internal logic and/or
analysis of the protocol running on top of UDP) is because it's not
included in the UDP protocol ?
- Maarten

Correct. Think SFTP.
Harold Grovesteen

'John P. Hartmann' jphartmann@gmail.com [hercules-390]

2017-04-13 19:21:10 UTC

Permalink

Harold, secure ftp (SFTP) is tunnelled through a TCP connexion to port
22 (encrypted). You have to open port 22 in your firewall if you wish
that inbound.

Correct. Think SFTP.

Ivan Warren ivan@vmfacility.fr [hercules-390]

2017-04-13 19:33:49 UTC

Permalink

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
Harold, secure ftp (SFTP) is tunnelled through a TCP connexion to port
22 (encrypted). You have to open port 22 in your firewall if you wish
that inbound.

Correct. Think SFTP.

I think he meant TFTP (not STFP).

--Ivan

[Non-text portions of this message have been removed]

'John P. Hartmann' jphartmann@gmail.com [hercules-390]

2017-04-13 19:56:09 UTC

Permalink

Post by Ivan Warren ***@vmfacility.fr [hercules-390]
I think he meant TFTP

Trivial file transfer protocol? Unlikely I should think. (But it is UDP.)

------------------------------------

------------------------------------

Community email addresses:
Post message: hercules-***@yahoogroups.com
Subscribe: hercules-390-***@yahoogroups.com
Unsubscribe: hercules-390-***@yahoogroups.com
List owner: hercules-390-***@yahoogroups.com

Files and archives at:
http://groups.yahoo.com/group/hercules-390

Get the latest version of Hercules from:
http://www.hercules-390.org

------------------------------------

Yahoo Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/hercules-390/

<*> Your email settings:
Individual Email | Traditional

<*> To change settings online go to:
http://groups.yahoo.com/group/hercules-390/join
(Yahoo! ID required)

<*> To change settings via email:
hercules-390-***@yahoogroups.com
hercules-390-***@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
hercules-390-***@yahoogroups.com

<*> Your use of Yahoo Groups is subject to:
https://info.yahoo.com/legal/us/yahoo/utos/terms/

Harold Grovesteen h.grovsteen@tx.rr.com [hercules-390]

2017-04-13 19:34:41 UTC

Permalink

On Thu, 2017-04-13 at 21:21 +0200, 'John P. Hartmann'

Sorry, I was thinking TFTP. RFC 753. A file transfer protocol that
uses UDP. The "connection" is managed by the client and server
applications.

I should have learned by now not to trust my memory. :-).

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]

Correct. Think SFTP.

Maarten Hoes hoes.maarten@gmail.com [hercules-390]

2017-04-13 19:35:50 UTC

Permalink

Hi,

Hi,
On Thu, Apr 13, 2017 at 2:19 PM, 'John P. Hartmann'
You can use sendto() on a UDP soclket to send to anyone, or
you can bind
the socket and use send(). In that sense, it is a session,
though it is
maintained in userland.
So, would I then be correct to assume that the UDP protocol itself
does not maintain a 'session' for you, but the same effect may be
reached at the application level (and the need to do so at the
application level is because it is not done at the UDP protocol
level) ?
A firewall recognizes the UDP packet that starts a request
(for some
protocols) and allows a response to travel in for some fixed
time.
So the reason the firewall has to do this (using internal logic and/or
analysis of the protocol running on top of UDP) is because it's not
included in the UDP protocol ?
- Maarten

Correct. Think SFTP.
Harold Grovesteen

Got it. (although, as pointed out, the particular protocol chosen here as
an example may not be correct ?).

Which, by the way, brings us right back to the initial "UDP is a
connection-less protocol" statement that started the discussion and
derailed this fine thread here.
;)

- Maarten

Joe Monk joemonk64@gmail.com [hercules-390]

2017-04-13 13:37:31 UTC

Permalink

Firewalls maintain UDP connections thru state and connection information
within the firewall itself. This has nothing to do with the UDP protocol.

Joe

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
Not correct. Ask any firewall that supports VPN.

Post by Ivan Warren ***@vmfacility.fr [hercules-390]
John,
Well... You did say "TCP" session, and there is no such thing as an UDP
session (UDP is a connection-less protocol) !
Never mind ;)

Tony Harminc tharminc@gmail.com [hercules-390]

2017-04-13 16:49:15 UTC

Permalink

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
Not correct. Ask any firewall that supports VPN.

Post by Ivan Warren ***@vmfacility.fr [hercules-390]
John,
Well... You did say "TCP" session, and there is no such thing as an UDP
session (UDP is a connection-less protocol) !

A firewall is, like the NSA, in the business of observing the flow of data
and drawing inferences from what it sees. A firewall may be capable of
inferring the existence of a logical UDP session between endpoints, just as
the NSA infers the existence of connections between putative terrorists.
Whether the inferences reflect reality or are fabrications of doubtful
accuracy, varies in both cases. And just as the terrorists may take action
to obscure their activities, so application programs (by no means all of
which are malicious) using UDP may take actions to make their "sessions"
unnoticed by the firewall.

Tony H.

dave.g4ugm@gmail.com [hercules-390]

2017-04-03 20:26:00 UTC

Permalink

Buddy,

You might to get him to pop and elevated command prompt and run :-

netstat -b -a

which should show which executable has the port. (He may need to pip into more)

I see from :-

http://www.adminsub.net/tcp-udp-port-finder/3505

it can be used by TrojansâŠ

Dave Wade

G4UGM

From: hercules-***@yahoogroups.com [mailto:hercules-***@yahoogroups.com]
Sent: 03 April 2017 20:37
To: hercules-***@yahoogroups.com
Subject: [hercules-390] TCP port 3505 is popular for a card reader - Any other programs using it?

I have a customer who for weeks has enjoyed the myDOSVS gui I sent him. Then a couple of days ago I get an email that the startup procedure has failed because something has connected to the card reader port 3505 and won't let go. It's not my program doing this and I have not googled anything that panned out to an obvious answer to the problem. Is anyone aware of other windows programs that might be out there grabbing port 3505? I see in the list of TCP ports that there is something called ccmcomm but google as I have I can't find out what it is or does. Thanks in advance for any hints.

Regards

Buddy Bell

Peter Coghlan mailinglists@beyondthepale.ie [hercules-390]

2017-04-13 22:04:11 UTC

Permalink

Post by Dave McGuire ***@neurotica.com [hercules-390]

Post by 'John P. Hartmann' ***@gmail.com [hercules-390]
If your system is a Windows system, I should tend to agree
with you that it is likely full of vira and trojans.

Fuck you, John. Your implication that the system some people use is
likely infested with malware simply because that system happens to be
Windows is not only untrue but also quite insulting.

From my investigations, the vast majority of the thousands? of machines that
are constantly trying to break into my systems here are consumer grade network
routers, CCTV systems, televisions and other network enabled crap, pretty much
all running poorly secured copies of Busybox and other variants of unix usually
from mostly readonly filesystems, frequently infected with several different
variants of competing malware, each trying to play whack-a-mole with each other.

Like various other statistics that can be quoted, this proves exactly nothing.

As someone recently reaffirmed on another mailing list, it is possible
to write bad code in any computer language. It seems that it is equally
possible to implement bad security on any operating system.

Regards,
Peter Coghlan.