Security Incidents mailing list archives
Re: Microsoft Windows ME and TCP/5000
From: George Bakos <alpinista () BIGFOOT COM>
Date: Thu, 1 Mar 2001 11:29:37 -0500
Go get yourself tdimon from Sysinternals and listen for what crosses the Transport Driver Interface while you telnet to port 5000. Of course, this will only work if the beastie uses normal winsock calls. On 28 Feb 01, at 16:55, Eric Fagan wrote:
Hello, I've seen only a handful of unanswered questions when researching this subject on Google, but I've found what seems to be a webserver running on port 5000 of my WinME box. A "netstat -a" shows UDP/1900 listening and TCP/5000 listening. ICS is not installed, F/P Sharing is not enabled. On this box I have installed Halflife & QIII Arena off OEM CD's, and LimeWire (a gnutella type client). The Limewire has since been removed and no references seem to appear for it the registry. Telnetting to port 5000 and trying a properly formatted http GET command (or using a web browser) returns HTTP 1.1/400 Bad Request. I've seen references indicated UDP/1900 is normal for ME (something to do with IP multicast & PnP detection), but TCP/5000? I'm bringing home my Network Associates VirusScan software from work today. (Shame on me, running w/out protection for two weeks -- what was I thinking!) I was just curious if anyone knew of a Trojan that camps an HTTP server on TCP/5000. Perhaps I caught something... --Eric
George Bakos - Security Engineer Electronic Warfare Associates Information & Infrastructure Technologies http://www.ewa.com To request PGP public key, mailto:alpinista () bigfoot com?subject=sendpubkey or http://pgpkeys.mit.edu:11371/
Current thread:
- Microsoft Windows ME and TCP/5000 Eric Fagan (Feb 28)
- Re: Microsoft Windows ME and TCP/5000 George Bakos (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 Todd A. Garrison (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Jeff Pults (Mar 05)
- Apache logs John A. Kotulak (Mar 05)
- Re: Apache logs Pedro Ortale Neto (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
- <Possible follow-ups>
- Re: Microsoft Windows ME and TCP/5000 Bock, John (ISS San Francisco) (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Eric Fagan (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
- Re: Microsoft Windows ME and TCP/5000 Vachon, Scott (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Magus Ba'al (Mar 09)