Security Incidents mailing list archives
Re: Microsoft Windows ME and TCP/5000
From: Joe Matusiewicz <joem () NIST GOV>
Date: Fri, 2 Mar 2001 12:25:24 -0500
Why not load ZoneAlarm on it and reboot your machine? When programs try to load and act as a server, ZA will ask for your permission. When you see the prompt: "Do you want 3V1L h4x0R pR0g to act as a server?" This should identify it. Answer no, then seek and destroy. ZA is free and you got nothing to lose. I've used to discover spyware secretly bundled with other programs that I installed. -- Joe At 08:08 PM 3/1/01, Bock, John (ISS San Francisco) wrote:
Use fport: http://packetstorm.securify.com/NT/FPortNG.zip or if you've got 69 bucks TCPViewpro: http://www.winternals.com/products/monitoringtools/tcpviewpro.shtml and figure out what process owns that port. -john ----- Original Message ----- From: "Eric Fagan" <fagan () LVCM COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, February 28, 2001 4:55 PM Subject: Microsoft Windows ME and TCP/5000 > Hello, > I've seen only a handful of unanswered questions when researching this > subject on Google, but I've found what seems to be a webserver running on > port 5000 of my WinME box. A "netstat -a" shows UDP/1900 listening and > TCP/5000 listening. ICS is not installed, F/P Sharing is not enabled. > > On this box I have installed Halflife & QIII Arena off OEM CD's, and > LimeWire (a gnutella type client). The Limewire has since been removed and > no references seem to appear for it the registry. Telnetting to port 5000 > and trying a properly formatted http GET command (or using a web browser) > returns HTTP 1.1/400 Bad Request. I've seen references indicated UDP/1900 > is normal for ME (something to do with IP multicast & PnP detection), but > TCP/5000? I'm bringing home my Network Associates VirusScan software from > work today. (Shame on me, running w/out protection for two weeks -- what > was I thinking!) I was just curious if anyone knew of a Trojan that camps > an HTTP server on TCP/5000. Perhaps I caught something... > > --Eric >
Current thread:
- Microsoft Windows ME and TCP/5000 Eric Fagan (Feb 28)
- Re: Microsoft Windows ME and TCP/5000 George Bakos (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 Todd A. Garrison (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Jeff Pults (Mar 05)
- Apache logs John A. Kotulak (Mar 05)
- Re: Apache logs Pedro Ortale Neto (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
- <Possible follow-ups>
- Re: Microsoft Windows ME and TCP/5000 Bock, John (ISS San Francisco) (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Eric Fagan (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Vachon, Scott (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Magus Ba'al (Mar 09)
- Re: Microsoft Windows ME and TCP/5000 Timothy Lyons (Mar 06)