Security Incidents: Re: Microsoft Windows ME and TCP/5000

["Bock, John (ISS San Francisco)" <JBock () ISS NET>]

Use fport:
http://packetstorm.securify.com/NT/FPortNG.zip

or if you've got 69 bucks TCPViewpro:

http://www.winternals.com/products/monitoringtools/tcpviewpro.shtml

and figure out what process owns that port.

-john

----- Original Message -----
From: "Eric Fagan" <fagan () LVCM COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, February 28, 2001 4:55 PM
Subject: Microsoft Windows ME and TCP/5000

> Hello,
>   I've seen only a handful of unanswered questions when researching this
> subject on Google, but I've found what seems to be a webserver running on
> port 5000 of my WinME box.  A "netstat -a" shows UDP/1900 listening and
> TCP/5000 listening.  ICS is not installed, F/P Sharing is not enabled.
>
> On this box I have installed Halflife & QIII Arena off OEM CD's, and
> LimeWire (a gnutella type client).  The Limewire has since been removed
and
> no references seem to appear for it the registry.  Telnetting to port 5000
> and trying a properly formatted http GET command (or using a web browser)
> returns HTTP 1.1/400 Bad Request.  I've seen references indicated UDP/1900
> is normal for ME (something to do with IP multicast & PnP detection), but
> TCP/5000?  I'm bringing home my Network Associates VirusScan software from
> work today.   (Shame on me, running w/out protection for two weeks -- what
> was I thinking!)   I was just curious if anyone knew of a Trojan that
camps
> an HTTP server on TCP/5000.  Perhaps I caught something...
>
> --Eric