Security Incidents mailing list archives
RE: TCP port 5000 syn increasing
From: Terence Runge <Terence.Runge () veritas com>
Date: Mon, 17 May 2004 14:11:47 -0700
http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=20301309H igh Port 5000 Traffic Indicates Kibuv.b Worm At Work By TechWeb News Symantec's DeepSight Threat network Monday detected a very high level of unusual traffic on TCP port 5000 that indicates a worm's at work. The latest alert, which notes "extremely heavy activity" on port 5000, is "almost certainly a worm-related activity," said Alfred Huger, the vice president of engineering for Symantec's virus watch group. The suspected culprit is the Kibuv.b worm, which hit the Internet over the weekend and exploits a vulnerability in Windows' Universal Plug and Play (UPnP) service within Windows 98, Me, and XP. The UPnP vulnerability was first disclosed and patched in late 2001. -----Original Message----- From: Leonardo [mailto:lmuroya () uol com br] Sent: Monday, May 17, 2004 1:00 PM To: Rohny Jotton; incidents () securityfocus com Subject: Re: TCP port 5000 syn increasing http://isc.sans.org/port_details.php?port=5000 ----- Original Message ----- From: "Rohny Jotton" <rohnyjotton () hotmail com> To: <incidents () securityfocus com> Sent: Sunday, May 16, 2004 9:49 PM Subject: TCP port 5000 syn increasing
I'm seeing a large amount of these attempts starting around 1:00 PM EST Sunday. They're getting blocked at the edge so I don't have any more info than that. I'm seeing about one a second from various hosts/networks. isc.sans.org shows that port related to various backdoors. Someone or something is getting busy. _________________________________________________________________ MSN Toolbar provides one-click access to Hotmail from any Web page - FREE download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/ --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- TCP port 5000 syn increasing Rohny Jotton (May 17)
- Re: TCP port 5000 syn increasing Andreas (May 17)
- Re: TCP port 5000 syn increasing ANDREW STREULE (May 17)
- Re: TCP port 5000 syn increasing Paul Schmehl (May 17)
- Re: TCP port 5000 syn increasing Noel Cuillandre (May 17)
- Re: TCP port 5000 syn increasing Mike Barushok (May 18)
- Re: TCP port 5000 syn increasing ANDREW STREULE (May 17)
- Re: TCP port 5000 syn increasing Andreas (May 17)
- <Possible follow-ups>
- RE: TCP port 5000 syn increasing Terence Runge (May 17)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 18)
- RE: TCP port 5000 syn increasing Frank Knobbe (May 18)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 18)
- Re: TCP port 5000 syn increasing Andreas (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)