Rise in port 5000 probes are caused by 2 new worms [Archive] - Antionline Forums

Click to See Complete Forum and Search --> : Rise in port 5000 probes are caused by 2 new worms

SirDice

May 19th, 2004, 03:18 PM

Everybody is seeing a rise in port 5000 probes. These are not caused by the (very old) Sockets de Troie trojan.

It's probably caused by 2 new worms; Bobax and Kibuv.

Bobax uses a probe on port 5000 to identify windows XP and Kibuv tries to exploit the very first vulnerability found on XP (UPnP bug).

Bobax:
http://vil.nai.com/vil/content/v_125304.htm
http://www.sophos.com/virusinfo/analyses/w32bobaxa.html

Kibuv:
http://vil.nai.com/vil/content/v_125306.htm

Soda_Popinsky

May 19th, 2004, 07:25 PM

this:
http://grc.com/unpnp/unpnp.htm

As well as a good firewall ruleset will help out.

neel

May 19th, 2004, 08:28 PM

a long long time ago firewall logs actually ment something... now I just get 2000 connection attempts/hour on port x because there's yet another worm again

todays top 5 (for me):
1) 6112
2) 5000
3) 445 135 (shared)
4) 9898
5) 5554

edit: so those are attempted incomming connections to those ports, all TCP