Re: Microsoft Windows ME and TCP/5000

[George Bakos <alpinista () BIGFOOT COM>]

Go get yourself tdimon from Sysinternals and listen for what
crosses the Transport Driver Interface while you telnet to port 5000.
 Of course, this will only work if the beastie uses normal winsock
calls.

On 28 Feb 01, at 16:55, Eric Fagan wrote:

> Hello,
>   I've seen only a handful of unanswered questions when researching
>   this
> subject on Google, but I've found what seems to be a webserver running
> on port 5000 of my WinME box.  A "netstat -a" shows UDP/1900 listening
> and TCP/5000 listening.  ICS is not installed, F/P Sharing is not
> enabled.
>
> On this box I have installed Halflife & QIII Arena off OEM CD's, and
> LimeWire (a gnutella type client).  The Limewire has since been
> removed and no references seem to appear for it the registry.
> Telnetting to port 5000 and trying a properly formatted http GET
> command (or using a web browser) returns HTTP 1.1/400 Bad Request.
> I've seen references indicated UDP/1900 is normal for ME (something to
> do with IP multicast & PnP detection), but TCP/5000?  I'm bringing
> home my Network Associates VirusScan software from work today.
> (Shame on me, running w/out protection for two weeks -- what was I
> thinking!)   I was just curious if anyone knew of a Trojan that camps
> an HTTP server on TCP/5000.  Perhaps I caught something...
>
> --Eric


George Bakos - Security Engineer
Electronic Warfare Associates
Information & Infrastructure Technologies
http://www.ewa.com


 To request PGP public key,
 mailto:alpinista () bigfoot com?subject=sendpubkey
 or http://pgpkeys.mit.edu:11371/