Security Incidents mailing list archives
Re: TCP port 5000 syn increasing
From: ANDREW STREULE <brother_wolf () btopenworld com>
Date: Mon, 17 May 2004 20:24:44 +0100 (BST)
on my honeypot a port 5000 event is almost always
followed by 1 or 2 nbt smb events.
the smb is like
SMB:1 [neg protocol]
Protocols:
PC NETWORK PROGRAM 1.0
LANMAN1.0
Windows for Workgroups 3.1a
LM1.2X002
LANMAN2.1
NT LM 0.12
SMB:2 [session setup X]
SMB:4 [tree con X]
{\\81.x.x.x\ipc$[00]?????}
SMB:5 [nt createX]
Flags:16 Access:2019F Createop:40 Imp:2
{\lsarpc[00]}
SMB:6 [trans]
name: {[10]\PIPE\[00 00]}
all my p5000 events are from 81.x.x.x
~Andy
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:
- TCP port 5000 syn increasing Rohny Jotton (May 17)
- Re: TCP port 5000 syn increasing Andreas (May 17)
- Re: TCP port 5000 syn increasing ANDREW STREULE (May 17)
- Re: TCP port 5000 syn increasing Paul Schmehl (May 17)
- Re: TCP port 5000 syn increasing Noel Cuillandre (May 17)
- Re: TCP port 5000 syn increasing Mike Barushok (May 18)
- Re: TCP port 5000 syn increasing ANDREW STREULE (May 17)
- Re: TCP port 5000 syn increasing Andreas (May 17)
- <Possible follow-ups>
- RE: TCP port 5000 syn increasing Terence Runge (May 17)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 18)
- RE: TCP port 5000 syn increasing Frank Knobbe (May 18)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 18)
- Re: TCP port 5000 syn increasing Andreas (May 19)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)