Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: TCP port 5000 syn increasing

From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 18 May 2004 10:18:58 -0500
--On Monday, May 17, 2004 10:43:52 PM -0400 Jose Nazario <jose () monkey org> wrote: 


using the Internet Motion Sensor project hosted by umich, we've been
monitoring global network spaces and looking at the same rise in TCP port
5000 traffic. however, the data doesn't support the theory of kibuv.b
entirely.
I'd be inclined to agree with you, Jose. I suspect this is something new that's been "distributed" through a bot network of already compromised machines (Agobot/Gaobot). I'm seeing *some* correlation between hosts "poking" me on 3217 and 6129 (Agobot for sure) and 5000, but not on the other ports.
Of course with the cut and paste worms that are coming out these days, who can say what it really might be? 

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040517
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: