Security Incidents mailing list archives
Re: TCP port 5000 syn increasing
From: ANDREW STREULE <brother_wolf () btopenworld com>
Date: Mon, 17 May 2004 20:24:44 +0100 (BST)
on my honeypot a port 5000 event is almost always followed by 1 or 2 nbt smb events. the smb is like SMB:1 [neg protocol] Protocols: PC NETWORK PROGRAM 1.0 LANMAN1.0 Windows for Workgroups 3.1a LM1.2X002 LANMAN2.1 NT LM 0.12 SMB:2 [session setup X] SMB:4 [tree con X] {\\81.x.x.x\ipc$[00]?????} SMB:5 [nt createX] Flags:16 Access:2019F Createop:40 Imp:2 {\lsarpc[00]} SMB:6 [trans] name: {[10]\PIPE\[00 00]} all my p5000 events are from 81.x.x.x ~Andy --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- TCP port 5000 syn increasing Rohny Jotton (May 17)
- Re: TCP port 5000 syn increasing Andreas (May 17)
- Re: TCP port 5000 syn increasing ANDREW STREULE (May 17)
- Re: TCP port 5000 syn increasing Paul Schmehl (May 17)
- Re: TCP port 5000 syn increasing Noel Cuillandre (May 17)
- Re: TCP port 5000 syn increasing Mike Barushok (May 18)
- Re: TCP port 5000 syn increasing ANDREW STREULE (May 17)
- Re: TCP port 5000 syn increasing Andreas (May 17)
- <Possible follow-ups>
- RE: TCP port 5000 syn increasing Terence Runge (May 17)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 18)
- RE: TCP port 5000 syn increasing Frank Knobbe (May 18)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 18)
- Re: TCP port 5000 syn increasing Andreas (May 19)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)