RE: TCP port 5000 syn increasing

From: Terence Runge (Terence.Runge_at_veritas.com)
Date: 05/17/04

  • Next message: Noel Cuillandre: "Re: TCP port 5000 syn increasing"
    To: Leonardo <lmuroya@uol.com.br>, Rohny Jotton <rohnyjotton@hotmail.com>, incidents@securityfocus.com
    Date: Mon, 17 May 2004 14:11:47 -0700
    
    

    http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=20301309H
    igh

    Port 5000 Traffic Indicates Kibuv.b Worm At Work

    By TechWeb News

    Symantec's DeepSight Threat network Monday detected a very high level of
    unusual traffic on TCP port 5000 that indicates a worm's at work.

    The latest alert, which notes "extremely heavy activity" on port 5000, is
    "almost certainly a worm-related activity," said Alfred Huger, the vice
    president of engineering for Symantec's virus watch group.

    The suspected culprit is the Kibuv.b worm, which hit the Internet over the
    weekend and exploits a vulnerability in Windows' Universal Plug and Play
    (UPnP) service within Windows 98, Me, and XP. The UPnP vulnerability was
    first disclosed and patched in late 2001.

    -----Original Message-----
    From: Leonardo [mailto:lmuroya@uol.com.br]
    Sent: Monday, May 17, 2004 1:00 PM
    To: Rohny Jotton; incidents@securityfocus.com
    Subject: Re: TCP port 5000 syn increasing

    http://isc.sans.org/port_details.php?port=5000

    ----- Original Message -----
    From: "Rohny Jotton" <rohnyjotton@hotmail.com>
    To: <incidents@securityfocus.com>
    Sent: Sunday, May 16, 2004 9:49 PM
    Subject: TCP port 5000 syn increasing

    > I'm seeing a large amount of these attempts starting around 1:00 PM EST
    > Sunday. They're getting blocked at the edge so I don't have any more info
    > than that. I'm seeing about one a second from various hosts/networks.
    >
    > isc.sans.org shows that port related to various backdoors. Someone or
    > something is getting busy.
    >
    > _________________________________________________________________
    > MSN Toolbar provides one-click access to Hotmail from any Web page - FREE
    > download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
    >
    >
    > --------------------------------------------------------------------------
    -
    > --------------------------------------------------------------------------

    --
    >
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Noel Cuillandre: "Re: TCP port 5000 syn increasing"

    Relevant Pages

    • Re: TCP port 5000 syn increasing
      ... I have noticed the TCP port 5000's also, and I'm getting a fair amount from ... > Security Linux, the comprehensive security solution that combines six ...
      (Incidents)
    • Re: Why Is Google Connecting to My Mac?
      ... destination: ssl-google-analytics.l.google.com ... wants to connect to ssl-google-analytics.l.google.com on TCP port ...
      (comp.sys.mac.misc)
    • Re: Info on SMC Barricade
      ... 24.242.35.125:1025 to UDP port 137 ... Thursday, November 22, 2001 16:43:25 Unrecognized access from ... 213.131.184.204:2048 to TCP port 53 ...
      (Security-Basics)
    • RE: RDC Problem Driving me Mental
      ... SBS 2003 computer starts using TCP port 3389 before the Terminal Services ... The process that most frequently causes this problem is the Microsoft ... Exchange System Attendant service. ...
      (microsoft.public.windows.server.sbs)