Security Incidents mailing list archives

Microsoft Windows ME and TCP/5000

From: Eric Fagan <fagan () LVCM COM>
Date: Wed, 28 Feb 2001 16:55:40 -0800

Hello,
  I've seen only a handful of unanswered questions when researching this
subject on Google, but I've found what seems to be a webserver running on
port 5000 of my WinME box.  A "netstat -a" shows UDP/1900 listening and
TCP/5000 listening.  ICS is not installed, F/P Sharing is not enabled.

On this box I have installed Halflife & QIII Arena off OEM CD's, and
LimeWire (a gnutella type client).  The Limewire has since been removed and
no references seem to appear for it the registry.  Telnetting to port 5000
and trying a properly formatted http GET command (or using a web browser)
returns HTTP 1.1/400 Bad Request.  I've seen references indicated UDP/1900
is normal for ME (something to do with IP multicast & PnP detection), but
TCP/5000?  I'm bringing home my Network Associates VirusScan software from
work today.   (Shame on me, running w/out protection for two weeks -- what
was I thinking!)   I was just curious if anyone knew of a Trojan that camps
an HTTP server on TCP/5000.  Perhaps I caught something...

--Eric

Current thread:

Microsoft Windows ME and TCP/5000 Eric Fagan (Feb 28)
- Re: Microsoft Windows ME and TCP/5000 George Bakos (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 Todd A. Garrison (Mar 01)
  - Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
    - Re: Microsoft Windows ME and TCP/5000 Jeff Pults (Mar 05)
    - Apache logs John A. Kotulak (Mar 05)
    - Re: Apache logs Pedro Ortale Neto (Mar 05)
- <Possible follow-ups>
- Re: Microsoft Windows ME and TCP/5000 Bock, John (ISS San Francisco) (Mar 02)
  - Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
    - Re: Microsoft Windows ME and TCP/5000 Eric Fagan (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Vachon, Scott (Mar 05)

(Thread continues...)