ibm-dial-out copying keystrokes?

Discussion in 'Mac Basics and Help' started by billyboy, Feb 23, 2006.

  1. billyboy macrumors 65816

    billyboy

    Joined:
    Mar 15, 2003
    Location:
    In my head
    #1
    The application "stroke" wants to connect to cable48a015.usuarios.retecal.es on TCP port 3267 (ibm-dial-out)

    Got the above message on Little Snitch. I googled it and all I understand is that it is not a trojan or virus, which is not much help.

    I admit I have little to no knowledge of ports beyond the basics for sending and receiving mail, but I am willing to learn. This may be nothing, or could it be the ISP going about their business as usual or is someone on my block being a naughty bar steward?

    thanks
     
  2. robbieduncan Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #2
    Sounds fishy to me. Have you installed an application called stroke? Why is trying to connect to a host who's name looks like a cable modem?
     
  3. billyboy thread starter macrumors 65816

    billyboy

    Joined:
    Mar 15, 2003
    Location:
    In my head
    #3
    I havent installed stroke, no. The host is the name of someone on my retecal
    (isp) network ie either it is my isp or perhaps a neighbour has tried to do something?
     
  4. CanadaRAM macrumors G5

    CanadaRAM

    Joined:
    Oct 11, 2004
    Location:
    On the Left Coast - Victoria BC Canada
    #4
    The port is what it says, according to the assigned port numbers:

    3267 tcp ibm-dial-out IBM Dial Out
    3267 udp ibm-dial-out IBM Dial Out

    but I can't find any relevent information on what it is for -- and no combinations of "stroke" and the port number show up in Google.

    I would ask your ISP whether this is anything they use, or if they can identify the target machine.
     
  5. billyboy thread starter macrumors 65816

    billyboy

    Joined:
    Mar 15, 2003
    Location:
    In my head
    #5
    And I cauhgt this message too

    The application "configd" wants to connect to cable48a015.usuarios.retecal.es on UDP port 67 (bootps)

    This is what I found but dont know what it means really.

    Port Number: 67
    TCP / UDP: UDP
    Delivery: No
    Protocol / Name: bootps
    Port Description: Bootstrap Protocol Server. Listening port on bootp & DHCP servers. Clients broadcast to it for boot or network parameters. Security Concern: Can probe NIS domain name, plus a valued DOS target.
    Virus / Trojan: No

    Side note: UDP port 67 uses the Datagram Protocol, a communications protocol for the Internet network layer, transport layer, and session layer. This protocol when used over PORT 67 makes possible the transmission of a datagram message from one computer to an application running in another computer. Like TCP (Transmission Control Protocol), UDP is used with IP (the Internet Protocol) but unlike TCP on Port 67, UDP Port 67 is connectionless and does not guarantee reliable communication; it's up to the application that received the message on Port 67 to process any errors and verify correct delivery.

    Can someone make sense of this?
     
  6. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #6
    UDP ports 67 and 68 are used to request and receive IP addresses via DHCP.
     
  7. billyboy thread starter macrumors 65816

    billyboy

    Joined:
    Mar 15, 2003
    Location:
    In my head
    #7
    thanks, so what is the connection with the two messages and the cable at retecal address?
     
  8. CanadaRAM macrumors G5

    CanadaRAM

    Joined:
    Oct 11, 2004
    Location:
    On the Left Coast - Victoria BC Canada
    #8
    Could that address be your own cable modem?
     
  9. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #9
    No clue. All I can tell you is that outgoing connection requests to UDP 67 are probably benign.
     
  10. billyboy thread starter macrumors 65816

    billyboy

    Joined:
    Mar 15, 2003
    Location:
    In my head
    #10
    No it isnt mine.
     
  11. generik macrumors 601

    generik

    Joined:
    Aug 5, 2005
    Location:
    Minitrue
    #11
    Do you have a P2P application running?

    What's 'stroke' btw? :confused:
     
  12. billyboy thread starter macrumors 65816

    billyboy

    Joined:
    Mar 15, 2003
    Location:
    In my head
    #12
    no, I am running firefox, mail, a programme called filechute that is set to upload files to my .mac homepage, network utility, iTunes, preview, word, console, photoshop and textedit.

    I not long ago had a message from Little Snitch saying firefox-bin was going to www.paypal.com - I certainly hadnt opened the webpage. No idea what this means. Something, nothing? I sent this info to paypal just in case!

    thanks for taking an interest btw - more than the Apple discussions can say for themselves so far.

    As for stroke - i don't know what it is. Is it a name of a UNIX utility maybe?
     
  13. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #13
    Nope. Not one I've ever heard of.

    Maybe you should give us the results of this from the Terminal:

    sudo find / -name "stroke"

    EDIT: Actually, I'm wrong. I was doing this myself and look what I found:

    Code:
    yellow% sudo find / -name "stroke"
    /Applications/Utilities/Network Utility.app/Contents/Resources/stroke
    So apparently it's part of the Network Utility app. Were you using that at the time? And now that I think about it, stroke might be used in port scanning or in keeping a conneciton alive, like an FTP connection. Stroking, if you will..

    Again, that's just a guess. But "stroke" might be begnin as well.
     
  14. billyboy thread starter macrumors 65816

    billyboy

    Joined:
    Mar 15, 2003
    Location:
    In my head
    #14
    Good deduction! With a clue about Network Utility in the mix Google turned up this article http://www.macgeekery.com/hacks/software/antisocial_portscanning here

    A benign utility that could be used for sinister purposes. I am going to ask my ISP what or who that cable modem address is, and perhaps that will solve this question for good. Thanks for your help and if I hear anything, or lose all my data or passwords I will report back.
     

Share This Page