Security Incidents mailing list archives
Re: Microsoft Windows ME and TCP/5000
From: "V. L-M" <derDoc () gmx de>
Date: Fri, 2 Mar 2001 15:15:15 +0100
----- Original Message ----- From: "Todd A. Garrison" <tgarris () FRAMELOSS ORG> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Thursday, March 01, 2001 7:02 PM Subject: Re: Microsoft Windows ME and TCP/5000
Quite commonly when you setup a multi-player FPS type game they will install a web-server that allows you to change maps, kick players, etc on the game server. I know that this is the case with Unreal Tournament. As for Quake3 I am pretty sure it doesn't do this as it has the ability to allow control of these game aspects via the game itself. You may want to check the docs for Halflife to see if this is true.
Your right, UT installs a webserver on port 80 if explicitly told so, however you can change the port. Youre right Q3a doesnt and the same is right for HL. If you want to control HL through a webserver you have to install some kind of mod but normally thats only feasible for a dedicated server, because when ingame you can change everything by means of the console(same goes for UT, BTW). Even the dedicated one can controled locally. As for the port 5000, I also have ME running and never seen any port 5000 listening. What about ICQ? ICQ tends to sometimes open funny ports for listening.
Good luck! Eric Fagan wrote:Hello, I've seen only a handful of unanswered questions when researching this subject on Google, but I've found what seems to be a webserver running
on
port 5000 of my WinME box. A "netstat -a" shows UDP/1900 listening and TCP/5000 listening. ICS is not installed, F/P Sharing is not enabled. On this box I have installed Halflife & QIII Arena off OEM CD's, and LimeWire (a gnutella type client). The Limewire has since been removed
and
no references seem to appear for it the registry. Telnetting to port
5000
and trying a properly formatted http GET command (or using a web
browser)
returns HTTP 1.1/400 Bad Request. I've seen references indicated
UDP/1900
is normal for ME (something to do with IP multicast & PnP detection),
but
TCP/5000? I'm bringing home my Network Associates VirusScan software
from
work today. (Shame on me, running w/out protection for two weeks --
what
was I thinking!) I was just curious if anyone knew of a Trojan that
camps
an HTTP server on TCP/5000. Perhaps I caught something... --Eric-- Todd Garrison tgarris () frameloss org PGP KEY ID: 0x007AEAE4
Current thread:
- Microsoft Windows ME and TCP/5000 Eric Fagan (Feb 28)
- Re: Microsoft Windows ME and TCP/5000 George Bakos (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 Todd A. Garrison (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Jeff Pults (Mar 05)
- Apache logs John A. Kotulak (Mar 05)
- Re: Apache logs Pedro Ortale Neto (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
- <Possible follow-ups>
- Re: Microsoft Windows ME and TCP/5000 Bock, John (ISS San Francisco) (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Eric Fagan (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Vachon, Scott (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Magus Ba'al (Mar 09)
- Re: Microsoft Windows ME and TCP/5000 Timothy Lyons (Mar 06)