13 Replies Latest reply on Sep 19, 2012 6:26 AM by taylorsharpe

    Port 5003 - trojans ... :-)

    CarstenLevin

      Hi, one of our customers firewall gave this listing of use/misuse of port 5003.

       

      We are having many many FileMaker Servers with port 5003 open in the FireWalls. At many sites, Danish and International companies. Also some very restrictive ones with very strict rules.

      We never had any security problem with FileMaker 7-8-8.5-9-10-11 and of course not with 12.

       

      And when FileMaker is listening on 5003, i would say that there will be no risc. But I promised to check it, and to comme backup with what I could find.

       

      Can anyone supply me with extra informatino.

       

      Best regards

       

      Carsten

       

       

       

      Port(s)

      Protocol

      Service

      Details

      Source

      5003

      tcp

      trojans

      W32.Spybot.IVQ (01.26.2005) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445).

      Opens a backdoor on one or more of these ports: 5002, 5003, 1927, 1930.

      SG

      5003

      tcp,udp

      FileMaker (official)

      Wikipedia

      5003

      tcp

      fmpro-internal

      FileMaker, Inc. - Proprietary transport

      IANA

      5003

      udp

      fmpro-internal

      FileMaker, Inc. - Proprietary name binding

      IANA

      5003

      tcp

      fmpro-internal

      FileMaker Inc. - Proprietary transport

      SANS

      5003

      udp

      fmpro-internal

      FileMaker Inc. - Proprietary name binding

      SANS

      5003

      tcp,udp

      applications

      Digi-Watcher

      Portforward

      5003

      tcp,udp

      applications

      FileMaker Pro

      Portforward

      5003

      tcp,udp

      filemaker

      Filemaker Server - http://www.filemaker.com/ti/104289.html

      Nmap

      5003

      tcp

      threat

      W32.Spybot

      Bekkoame

      5003

      tcp

      fmpro-internal

      FileMaker, Inc. - Proprietary transport

      Bekkoame

      5003

      udp

      fmpro-internal

      FileMaker, Inc. - Proprietary name binding

      Bekkoame

        • 1. Re: Port 5003 - trojans ... :-)
          beverly

          Is everything restricted to a domain and/or range of IP(s) within the network? For example if the firewall has 5003 open for FileMaker Server, is it also limiting the IP addresses that can get there (internal only, or if external, but static IP)?

           

          You may need to supply more info about your network for a better answer.

          Beverly

           

          Hi, one of our customers firewall gave this listing of use/misuse of port 5003.

           

           

          We are having many many FileMaker Servers with port 5003 open in the FireWalls. At many sites, Danish and International companies. Also some very restrictive ones with very strict rules.

           

          We never had any security problem with FileMaker 7-8-8.5-9-10-11 and of course not with 12.

           

           

          And when FileMaker is listening on 5003, i would say that there will be no risc. But I promised to check it, and to comme backup with what I could find.

           

           

          Can anyone supply me with extra informatino.

           

           

          Best regards

           

           

          Carsten

           

          • 2. Re: Port 5003 - trojans ... :-)
            taylorsharpe

            Trojans will need a port to work on and the fact that so few are listed shows that there is not that much interest in using a FileMaker port since it is rarely open unless FileMaker has control of that port.  What is unlisted is the fact that many vulnerabilities can use a wide range of ports and it seems this is just a list of ones that have been shown to specifically try to use FileMaker's standard port.  Obviously if FileMaker is up and running and has taken control of the port, the vulnerability cannot take over.  But if you stop FIleMaker, the vulnerability could setup and start using that port.  When you are a bad guy, you are trying to find ports to use that would appear to be legitimate and that would be the purpose of using a services standard listening port.  From a security point of view, you can make sure FileMaker Server starts every time and seizes the port for its use.  And if you stop serving FileMaker, your security plan should incluce turning off port 5003 as well as FileMaker's other ports such as 5353, 16000, 16001. 

             

            FileMaker tends to be very secure, especially if you use the Server's secure connnection option.  One thing I cite to my customers is the National Institute of Standards and Technology that sets the US Government's security standards.  They keep track of vulnabilities of various software.  In the database realm, you have to go way back to something like FileMaker 6 to find a NIST documented security vulnerability on FileMaker and that had to do with the old way FileMaker had passwords only and not User ID's also.  If you look their their info, you can find tons of vulnerabilities in most of the SQL databases, with SQL injection vulnerabilities being a really big problem.  While FileMaker supports SQL calls, FileMaker is not vulnerable to SQL injection attacks like Oracle, MS SQL Server, MySQL, PostGres, etc.  To sum it up... if for some reason you trust the US Government to determine vulnerabilities, then NIST has not found vulnerabilities on any recent version of FileMaker and it has on all of the major SQL databases. 

            • 3. Re: Port 5003 - trojans ... :-)
              taylorsharpe

              One more comment, the FileMaker client supports peer-to-peer sharing on port 5003, in essence making the client a server.  Most enterprise networks only want the server serving up the databases and you may want to turn off FileMaker's file sharing on any client that opens a local database.  Other issues about the peer-to-peer sharing is that it is unencrypted and many people create these databases without remembering to set up security so that anyone else could open it up via peer-to-peer without a password.  This is probably not so bad if you're behind a good firewall, but still not a best practice. 

              • 4. Re: Port 5003 - trojans ... :-)
                CarstenLevin

                Hi Beverly,

                 

                At the moment 5003 and other ports on the FileMaker Server is only available from within the subnet and via VPN.

                 

                But we want to give access to FileMaker users and iOS FileMaker GO users from other - not known - IP adresses.

                 

                I guess that the main question is: Will there be any problems when FileMaker Server is active hand handling all connections to this Port on the specific IP number?

                • 5. Re: Port 5003 - trojans ... :-)
                  CarstenLevin

                  Hi Taylor,

                  We are never using peer2peer. Only FileMaker Server/Avanced.

                  • 6. Re: Port 5003 - trojans ... :-)
                    taylorsharpe

                    No, FileMaker will not have a problem properly handling the port.  Just make sure in the Admin console that you have turned on the "Secure Connections" so that you get SSL encryption between client and server.  And if you want to limit hardware, you can use the newly supported UUID hardware identifcation to verify hardware that is allowed to connect to the server.  What I usually do is allow anyone on that has a User ID and password, but when a new device connects, it sends me an email telling me about the device and I look over the info to confirm it is a legitimate hardware addtion (e.g., I see a new salesman has logged on and realize his hardware should be new).  If I don't recognize a new hardware, I call the person who logged in and confirm they logged in from legitimate hardware. 

                    • 7. Re: Port 5003 - trojans ... :-)
                      taylorsharpe

                      That is a best policy, but you have to make sure your end users know this policy because you can't turn the File Sharing option off permanently on the FileMaker client.  In fact, it comes defaulted as on.  So end users can start File Sharing from their FileMaker client  on their own.  Granted they have to do this on a locally hosted copy of a FileMaker file.  But if they create the file, then they can share it.  It would be nice if FileMaker allowed installs to include not allowing the client to even have that option to File Share as a better way to enforce security policies.  FileMaker is good at security, but security is a moving target and has to continually be improved on. 

                      • 8. Re: Port 5003 - trojans ... :-)
                        CarstenLevin

                        Secure connection is not a problem. But one question: Does it implement a danger that the trojan horse can be installed if you do not user secure connection.

                        I understand that the secure connection is encrypting the data sent to/from the server/client across the network. I may be wrong, but is the main purpose not to make sniffing of packages impossible?

                        • 9. Re: Port 5003 - trojans ... :-)
                          taylorsharpe

                          The Trojan will not be impacted by whether FileMaker uses a secure connection or not.  What the Trojan will want to do is use the same port as FileMaker.  If FileMaker is using the port, the Trojan won't be able to take over the port.  The Trojan is not doing anythiing with FileMaker, it is simply looking for a port to use that is likely to be open and will not look suspicious.  A Trojan running on port 5003 could be scanned it is likely that the scan would report the Trojan to be a legitimate copy of FileMaker since it is operating on the FileMaker standard port.  The solution is to either use FileMaker that seizes the port or to close the port if FileMaker is not using it. 

                          • 10. Re: Port 5003 - trojans ... :-)
                            CarstenLevin

                            Hi Taylor and everybody else: If I get it rigth, the answer is then as I wrote in the original post:

                             

                            • "And when FileMaker is listening on 5003, i would say that there will be no danger."

                             

                            Conclusion - at least so far:

                            • If 5003 is open for foreign access it is important that FileMaker Server is open and is handling this port. This will of course be the case for any running FileMaker Server.

                            And encrypted access - Secure Connection - can be a very good idea for other reasons (package sniffing etc.), but does, at least in this case, not have any specific effect regarding trojan horses.

                             

                            But then I would like to point to the alert:distributed denial of service

                            And this lead me to some questions:

                            • Is it possible to bring FileMaker down with a DOS attack?
                            • Has it happened?
                            • Would it then be possible to insert something else behind port 5003 and take over the server?
                            • If this is the case: Is it not the same with any port ... like port 80, 3306, 1433, 1521 etc.etc.?

                             

                            And if this is the case, the main precaution would be to have a surveilance system checking that FileMaker is up and running.

                             

                            OK: Our company has kept FileMaker Servers running since FileMaker 2.1 and since FileMaker 4.1, we have had them on the Internet. During the 13 years on the internet we have had solutions running and available for the public - first a very large site around 1996-97 called www.digilife.com* and another extremely large database driven site www.nnf.dk** and later many more, including auction sites available for the public.

                            We have never had any of them hacked/cracked or infected.

                             

                            But I am responsible to our present and future customers. And therefor I am still very interested if someone has knowledge regarding DOS attacs and taking over port 5003 or other FileMaker ports through weaknesses in FileMaker.

                             

                            And I am still very confident that this is not a problem, but I would be stupid if I did not ask here.

                             

                             

                            A little bit of background

                            * and **: Yes those very big websites was already driven by FileMaker in the 199Xties. At that time we had FileMaker Unlimited with the ability to add load balanced front end computers with each their webserver ad libitum:

                            • http://web.archive.org/web/200011091153/http://www.digilife.com/usa/ ... no, please do not click the buttons. The sites, yes about 20 countries was handled by FileMaker, was closed down when Oticon ended the digilife hearing aid concept.
                            • http://web.archive.org/web/19990125101642/http://www.nnf.dk/ and sorry - it seems that the waybackmachine has had problems with storing our dynamic graphical frontpage with its many elements. This site looked and behaved like any modern 2012 site - and we really had our programmers working hard to achieve that!
                              NNF had all the dynamics you could ask for, including active dialog and debate online, archives and meeting agendas etc. etc. for thousinds of people. And FileMaker had absolutely no problems handling the load.

                            Both sites was on Windows NT 4.X with a FileMaker Server and another NT running with FileMaker Unlimited and a third NT running the IIS Web Server (if I remember it correct).

                            Since then we have used every FileMaker web incarnation and are happy with the present PHP implementation and the promises and performance of FileMaker 12 Server.

                            • 11. Re: Port 5003 - trojans ... :-)
                              taylorsharpe

                              There is no such computer as one that cannot be taken down by a Denial of Service attack.  But there are various techniques to minimize vulnerability from this happening such filtering computers who can access them, keepign current on software patches, monitoring to know when you are being attacked, etc.  Having a large bandwidth also helps.  And FileMaker is good at terminating services as soon as credentials are invalidated (bad User ID/password) to minimize the bandwidth used by each attack.  But ultimately if some virus has taken control of hundreds of thousands of bots that are going to all try to access your FileMaker Server, then you're going down unless you have some incredible bandwith such as Amazon.  Keep in mind it doesn't really hurt your server, it just means that because of so much bandwidth trying to access your FileMaker server, legitimate connections go really slow or the connection cannot be made at all. 

                               

                              I am not familiar with a published account of a FileMaker Server being taken down by a DOS attack against the FileMaker Service port 5003.  Usually you hear attacks on more common ports such as web, mail, ftp, smb ports, etc.   And while attacks on these other services/ports are not against the FileMaker Service, such attacks will still prevent legitimate access to your FileMaker Server since the bandwidth will be eaten up.  Think like a bad person wanting to attack your server.  Few servers have a FileMaker Server on them, so they are more likely to attack services and ports that are more common because they are more likely find those ports open and to have success. 

                               

                              Any program can be programmed to use any port and a trojan can be programmed to use the 5003 standard port used by FileMaker.  You could also hack FileMaker and get it to use another port, but that is unsupported and probably not recommended.  However, you'll sometimes here of highly secure services using non-standard ports usually in the very high range to hide what service is running on them.  But you often run into problems making connections when you alter the ports on a server because the clients have to know what port to search on.  For example, when you want to run the FileMaker Admin console and you put in a URL, you have to give the server name or IP followed by port 16000 so it knows to talk to the FileMaker Admin Console (e.g., http://127.0.0.1:16000 or http://myserversdomain.com:16000). 

                               

                              The biggest thing you can do to protect against DOS attacks is to have some utility software that is monitoring all access to all ports on your server and to close all ports and services not being used.  Find baselines of access so you can tell when you're being attacked.  Make a plan on what to do when attacked.  Should you shut down the service completely until the attack is over?  Do you want to have everyone reset their passwords in case a brute force attack is successful or in case someone used stupid passwords like "password" or "letmein".  All of this should be in your Security plan.  If you need to put a thorough security plan together, you might follow the US Government standards set by NIST.  In particular, look at NIST 800-53, FIPS, and various cipher levels.  FYI, FileMaker uses AES encryption with a 256 bit encryption key which is very strong and technically good up to Top Secret for the US Government. 

                              • 12. Re: Port 5003 - trojans ... :-)
                                CarstenLevin

                                Dear security experts and FileMaker Server administrators and other with experience in this field,

                                 

                                Thanks to Taylor for taking the time to answer. And I can read that you are writing the same as I did very shortly in my original post, and that we share the experience that FileMaker is safe.

                                 

                                Also thanks for the fine general information on DOS attacks etc. You explain very clearly that the attacks will cause delays for legitimate users and perhaps almost cause the server to stop responding. But the FileMaker server will continue to run and that safety will therefore not be weakened. Which is also what I assumed in my opening "And when FileMaker is listening on 5003, i would say that there will be no risc."

                                 

                                But I need response from people with different technical background than mine (Certified 7-8-9-1-11-12 developer etc. etc. - having been responsible for FileMaker web systems since FileMaker 4.1).

                                I would particularly like to hear from people who have been responsible for FileMaker servers that have been under attack or from security experts who have analyzed FileMaker in this context.

                                 

                                While "To be or not to be" is not really the question here, my question is: "Is a well-configured FileMaker Server, where only the required ports are open, really as safe as our own experience tells us?".

                                 

                                Best regards

                                 

                                Carsten

                                • 13. Re: Port 5003 - trojans ... :-)
                                  taylorsharpe

                                  I agree with Carsten and it would be good if some others who have security experience would jump into the discussion. 

                                   

                                  I will tell you that I have experience with developing FileMaker security plans for the US Government and that other than citing the NIST 800-53 requirements, I can't tell you any more about the database(s), the security plan(s) or whether we have ever been under attack or the results of such attacks.  And if you talk with anyne else ever working with a federal government database security, you'll find that they are not going to be able to be candid about the information you are asking about.

                                   

                                  Unfortunately, when it gets to security, few people seem to want to or are allowed to talk about it beyond basic controls.  Government workers and contractors are forbidden from talking about it.  The private sector has security people with such knowledge, but they often don't want to possibly share information that bad people could use or that competitors could steal ideas, so they tend to be tight lipped too.  Pretty much the only security sector professionals that seem open to discussions are in the education field.  It sure would be nice if there was computer science professor or student on here that might throw some info in about their experiences. 

                                   

                                  You can also Google FileMaker Security and various types of attacks and you'll see there is almost nothing about the existence or results of such attacks in the public realm. 

                                   

                                  FYI, you might want to drop David Head an email about such topics.  He is the FileMaker Inc security specialist.  I know he is on here, but I don't think he ever posts, so you'll have to contact him by email or phone.