RE: TCP port 5000 syn increasing

From: Terence Runge (Terence.Runge_at_veritas.com)
Date: 05/17/04

  • Next message: Noel Cuillandre: "Re: TCP port 5000 syn increasing"
    To: Leonardo <lmuroya@uol.com.br>, Rohny Jotton <rohnyjotton@hotmail.com>, incidents@securityfocus.com
    Date: Mon, 17 May 2004 14:11:47 -0700
    
    

    http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=20301309H
    igh

    Port 5000 Traffic Indicates Kibuv.b Worm At Work

    By TechWeb News

    Symantec's DeepSight Threat network Monday detected a very high level of
    unusual traffic on TCP port 5000 that indicates a worm's at work.

    The latest alert, which notes "extremely heavy activity" on port 5000, is
    "almost certainly a worm-related activity," said Alfred Huger, the vice
    president of engineering for Symantec's virus watch group.

    The suspected culprit is the Kibuv.b worm, which hit the Internet over the
    weekend and exploits a vulnerability in Windows' Universal Plug and Play
    (UPnP) service within Windows 98, Me, and XP. The UPnP vulnerability was
    first disclosed and patched in late 2001.

    -----Original Message-----
    From: Leonardo [mailto:lmuroya@uol.com.br]
    Sent: Monday, May 17, 2004 1:00 PM
    To: Rohny Jotton; incidents@securityfocus.com
    Subject: Re: TCP port 5000 syn increasing

    http://isc.sans.org/port_details.php?port=5000

    ----- Original Message -----
    From: "Rohny Jotton" <rohnyjotton@hotmail.com>
    To: <incidents@securityfocus.com>
    Sent: Sunday, May 16, 2004 9:49 PM
    Subject: TCP port 5000 syn increasing

    > I'm seeing a large amount of these attempts starting around 1:00 PM EST
    > Sunday. They're getting blocked at the edge so I don't have any more info
    > than that. I'm seeing about one a second from various hosts/networks.
    >
    > isc.sans.org shows that port related to various backdoors. Someone or
    > something is getting busy.
    >
    > _________________________________________________________________
    > MSN Toolbar provides one-click access to Hotmail from any Web page - FREE
    > download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
    >
    >
    > --------------------------------------------------------------------------
    -
    > --------------------------------------------------------------------------

    --
    >
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Noel Cuillandre: "Re: TCP port 5000 syn increasing"