Rise in port 5000 probes are caused by 2 new worms
Results 1 to 3 of 3

Thread: Rise in port 5000 probes are caused by 2 new worms

  1. #1
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Rise in port 5000 probes are caused by 2 new worms

    Everybody is seeing a rise in port 5000 probes. These are not caused by the (very old) Sockets de Troie trojan.

    It's probably caused by 2 new worms; Bobax and Kibuv.

    Bobax uses a probe on port 5000 to identify windows XP and Kibuv tries to exploit the very first vulnerability found on XP (UPnP bug).

    Bobax:
    http://vil.nai.com/vil/content/v_125304.htm
    http://www.sophos.com/virusinfo/analyses/w32bobaxa.html

    Kibuv:
    http://vil.nai.com/vil/content/v_125306.htm
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #2
    this:
    http://grc.com/unpnp/unpnp.htm

    As well as a good firewall ruleset will help out.

  3. #3
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    a long long time ago firewall logs actually ment something... now I just get 2000 connection attempts/hour on port x because there's yet another worm again

    todays top 5 (for me):
    1) 6112
    2) 5000
    3) 445 135 (shared)
    4) 9898
    5) 5554

    edit: so those are attempted incomming connections to those ports, all TCP
    Double Dutch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •