Security Incidents mailing list archives
Re: Microsoft Windows ME and TCP/5000
From: Eric Fagan <fagan () LVCM COM>
Date: Mon, 5 Mar 2001 08:24:22 -0800
Hello, Here's a follow-up on the TCP/5000 webserver found on WinME. I just wanted to thank all that wrote in -- I received several very good suggestions, including the one below. ZA indicated the owner was SSDPSRV.EXE, or the Simple Service Discover Protocol, which is used for Universal Plug and Play. Apparently there is a URL exchange during the discovery process of networked Plug & Play devices. XML information is then passed between the Plug & Play devices -- explaining the presence of a non-standard webserver. It seems that anyone running WinME with Universal Plug & Play enabled will likely have this process running. I find it unusual that Microsoft did not add a description of port 5000 in the SERVICES file, like: ssdp 1900/udp # SSDP ssdp 5000/tcp # SSDP web-XML parser for Universal Plug & Play That would eliminate a lot of confusion.... Anyway, here's a non-technical description of what's going on: http://support.microsoft.com/support/kb/articles/Q262/4/58.ASP ----- Original Message ----- From: "Joe Matusiewicz" <joem () NIST GOV> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Friday, March 02, 2001 9:25 AM Subject: Re: Microsoft Windows ME and TCP/5000
Why not load ZoneAlarm on it and reboot your machine? When programs try
to
load and act as a server, ZA will ask for your permission. When you see the prompt: "Do you want 3V1L h4x0R pR0g to act as a server?" This should identify it. Answer no, then seek and destroy. ZA is free
and
you got nothing to lose. I've used to discover spyware secretly bundled with other programs that I installed. -- Joe At 08:08 PM 3/1/01, Bock, John (ISS San Francisco) wrote:Use fport: http://packetstorm.securify.com/NT/FPortNG.zip or if you've got 69 bucks TCPViewpro: http://www.winternals.com/products/monitoringtools/tcpviewpro.shtml and figure out what process owns that port. -john ----- Original Message ----- From: "Eric Fagan" <fagan () LVCM COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, February 28, 2001 4:55 PM Subject: Microsoft Windows ME and TCP/5000Hello, I've seen only a handful of unanswered questions when researching
this
subject on Google, but I've found what seems to be a webserver running
on
port 5000 of my WinME box. A "netstat -a" shows UDP/1900 listening
and
TCP/5000 listening. ICS is not installed, F/P Sharing is not enabled. On this box I have installed Halflife & QIII Arena off OEM CD's, and LimeWire (a gnutella type client). The Limewire has since been
removed
andno references seem to appear for it the registry. Telnetting to port
5000
and trying a properly formatted http GET command (or using a web
browser)
returns HTTP 1.1/400 Bad Request. I've seen references indicated
UDP/1900
is normal for ME (something to do with IP multicast & PnP detection),
but
TCP/5000? I'm bringing home my Network Associates VirusScan software
from
work today. (Shame on me, running w/out protection for two weeks --
what
was I thinking!) I was just curious if anyone knew of a Trojan thatcampsan HTTP server on TCP/5000. Perhaps I caught something... --Eric
Current thread:
- Microsoft Windows ME and TCP/5000 Eric Fagan (Feb 28)
- Re: Microsoft Windows ME and TCP/5000 George Bakos (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 Todd A. Garrison (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Jeff Pults (Mar 05)
- Apache logs John A. Kotulak (Mar 05)
- Re: Apache logs Pedro Ortale Neto (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
- <Possible follow-ups>
- Re: Microsoft Windows ME and TCP/5000 Bock, John (ISS San Francisco) (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Eric Fagan (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Vachon, Scott (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Magus Ba'al (Mar 09)
- Re: Microsoft Windows ME and TCP/5000 Timothy Lyons (Mar 06)