raw-mob
Level 1 (0 points)

Q: ardagent.app connecting to 123.123.123.123 port 3283 via UDP

I have a MacBook Pro (Retina, 15-inch, Late 2013) running 10.10.5 (14F1605).  I also run a DNS server on my network on a Mac mini Server (Mid 2011) also running 10.10.5 (14F1605).  I also have Little Snitch Version 3.6.2 running, and have Apple Remote Desktop Version 3.8 (380A95)

 

My macbook was not able to connect to the internet.  The ping utility couldn't get server names resolved, trying to ping my Mac Mini timed out.  I automatically fired up Apple Remote Desktop to try and see what was happening to the Mac Mini (I don't know why I thought that would help given that I could not ping the Mini).  Then something curious happened:

1. Little Snitch reported that ARDAgent.app was attempting to connect to 123.123.123.123 on port 3283 via UDP.

2. Allowing the connection (WHAT WAS I THINKING??? I was very tired) fixed my connection issues.

 

I decided to check where IP 123.123.123.123 is located, and was a bit worried that it is part of the block of IP's allocated to:

inetnum:        123.112.0.0 - 123.127.255.255

netname:        UNICOM-BJ

descr:          China Unicom Beijing province network

descr:          China Unicom

country:        CN

 

I have never been to China!!

 

Why is ARDAgent phoning home to the China Unicom network?????

MacBook Pro with Retina display, OS X Yosemite (10.10.5), ARD 3.8

Posted on Mar 19, 2016 5:57 AM

Close
raw-mob

Q: ardagent.app connecting to 123.123.123.123 port 3283 via UDP

  • All replies
  • Helpful answers

  • by raw-mob,

    raw-mob raw-mob Mar 19, 2016 5:45 AM in response to raw-mob
    Level 1 (0 points)
    Mar 19, 2016 5:45 AM in response to raw-mob

    ... and no, I am not in China...

  • by raw-mob,

    raw-mob raw-mob Mar 19, 2016 7:59 AM in response to raw-mob
    Level 1 (0 points)
    Mar 19, 2016 7:59 AM in response to raw-mob

    I am hoping that some developer, like myself, has seen a lot of the posting on the internet by people who want to give an example of an IP address, who use 123.123.123.123 as a nondescript IP.  Hopefully, this developer coded this IP into the ARDagent as a random IP to ping if there are network issues detected.

     

    If this is the case, then Apple needs to audit it's Apple Remote Desktop agent code to make sure that it does not do this.


    I am hoping that this does not mean that my system is compromised, and has been slowly exfiltrating all of my keystrokes to China...

  • by MrHoffman,

    MrHoffman MrHoffman Mar 19, 2016 8:35 AM in response to raw-mob
    Level 6 (15,627 points)
    Mac OS X
    Mar 19, 2016 8:35 AM in response to raw-mob

    Nobody else has this combination of ARDagent and that IP address in either of the two search engine caches I've checked, which implies something is either misconfigured locally, not working correctly, or potentially breached.  Time to back-trace what's going on, and what sort of local network activity is happening.  Or whether this is a bug in Little Snitch.   TCP and UDP ports 3283 are the ARD request and reporting mechanism ports.

  • by remotedesktop,

    remotedesktop remotedesktop Mar 19, 2016 9:39 AM in response to raw-mob
    Level 1 (34 points)
    Mar 19, 2016 9:39 AM in response to raw-mob

    As a precaution, in Remote Desktop.app, select the Mac Mini that is calling out to the unknown IP address. Goto GetInfo->Administrators tab and remove 123.123.123.123. Change all admin user passwords on the affected device. ARDAgent does not ping unconfigured IP addresses.

  • by raw-mob,

    raw-mob raw-mob Mar 30, 2016 10:02 PM in response to raw-mob
    Level 1 (0 points)
    Mar 30, 2016 10:02 PM in response to raw-mob

    Just updating:

     

    This was occurring with ARDAgent.app version 3.8.4 and Little Snitch was reporting this app as being properly signed by Apple.

     

    A few days after making the original post ARDAgent version 3.8.5 was released, and there does not appear to be any untoward activity with the new version (I had not changed any settings on my MacbookPro)... so far.