Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: raw-mob
raw-mob Author
User level: Level 1
0 points

ardagent.app connecting to 123.123.123.123 port 3283 via UDP

I have a MacBook Pro (Retina, 15-inch, Late 2013) running 10.10.5 (14F1605). I also run a DNS server on my network on a Mac mini Server (Mid 2011) also running 10.10.5 (14F1605). I also have Little Snitch Version 3.6.2 running, and have Apple Remote Desktop Version 3.8 (380A95)


My macbook was not able to connect to the internet. The ping utility couldn't get server names resolved, trying to ping my Mac Mini timed out. I automatically fired up Apple Remote Desktop to try and see what was happening to the Mac Mini (I don't know why I thought that would help given that I could not ping the Mini). Then something curious happened:

1. Little Snitch reported that ARDAgent.app was attempting to connect to 123.123.123.123 on port 3283 via UDP.

2. Allowing the connection (WHAT WAS I THINKING??? I was very tired) fixed my connection issues.


I decided to check where IP 123.123.123.123 is located, and was a bit worried that it is part of the block of IP's allocated to:

inetnum: 123.112.0.0 - 123.127.255.255

netname: UNICOM-BJ

descr: China Unicom Beijing province network

descr: China Unicom

country: CN


I have never been to China!!


Why is ARDAgent phoning home to the China Unicom network?????

MacBook Pro with Retina display, OS X Yosemite (10.10.5), ARD 3.8

Posted on Mar 19, 2016 5:44 AM

Reply
5 replies
User profile for user: raw-mob
raw-mob Author
User level: Level 1
0 points

Mar 19, 2016 7:59 AM in response to raw-mob

I am hoping that some developer, like myself, has seen a lot of the posting on the internet by people who want to give an example of an IP address, who use 123.123.123.123 as a nondescript IP. Hopefully, this developer coded this IP into the ARDagent as a random IP to ping if there are network issues detected.


If this is the case, then Apple needs to audit it's Apple Remote Desktop agent code to make sure that it does not do this.

I am hoping that this does not mean that my system is compromised, and has been slowly exfiltrating all of my keystrokes to China...

Reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,475 points

Mar 19, 2016 8:35 AM in response to raw-mob

Nobody else has this combination of ARDagent and that IP address in either of the two search engine caches I've checked, which implies something is either misconfigured locally, not working correctly, or potentially breached. Time to back-trace what's going on, and what sort of local network activity is happening. Or whether this is a bug in Little Snitch. TCP and UDP ports 3283 are the ARD request and reporting mechanism ports.

Reply
User profile for user: raw-mob
raw-mob Author
User level: Level 1
0 points

Mar 30, 2016 10:02 PM in response to raw-mob

Just updating:


This was occurring with ARDAgent.app version 3.8.4 and Little Snitch was reporting this app as being properly signed by Apple.


A few days after making the original post ARDAgent version 3.8.5 was released, and there does not appear to be any untoward activity with the new version (I had not changed any settings on my MacbookPro)... so far.

Reply

ardagent.app connecting to 123.123.123.123 port 3283 via UDP

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up