Security Incidents: Re: Microsoft Windows ME and TCP/5000

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Microsoft Windows ME and TCP/5000

From: Joe Matusiewicz <joem () NIST GOV>
Date: Fri, 2 Mar 2001 12:25:24 -0500

Why not load ZoneAlarm on it and reboot your machine?  When programs try to
load and act as a server, ZA will ask for your permission.  When you see
the prompt:

"Do you want 3V1L h4x0R pR0g to act as a server?"

This should identify it.  Answer no, then seek and destroy.  ZA is free and
you got nothing to lose.  I've used to discover spyware secretly bundled
with other programs that I installed.


-- Joe


At 08:08 PM 3/1/01, Bock, John (ISS San Francisco) wrote:

Use fport:
http://packetstorm.securify.com/NT/FPortNG.zip

or if you've got 69 bucks TCPViewpro:

http://www.winternals.com/products/monitoringtools/tcpviewpro.shtml

and figure out what process owns that port.

-john

----- Original Message -----
From: "Eric Fagan" <fagan () LVCM COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, February 28, 2001 4:55 PM
Subject: Microsoft Windows ME and TCP/5000

> Hello,
>   I've seen only a handful of unanswered questions when researching this
> subject on Google, but I've found what seems to be a webserver running on
> port 5000 of my WinME box.  A "netstat -a" shows UDP/1900 listening and
> TCP/5000 listening.  ICS is not installed, F/P Sharing is not enabled.
>
> On this box I have installed Halflife & QIII Arena off OEM CD's, and
> LimeWire (a gnutella type client).  The Limewire has since been removed
and
> no references seem to appear for it the registry.  Telnetting to port 5000
> and trying a properly formatted http GET command (or using a web browser)
> returns HTTP 1.1/400 Bad Request.  I've seen references indicated UDP/1900
> is normal for ME (something to do with IP multicast & PnP detection), but
> TCP/5000?  I'm bringing home my Network Associates VirusScan software from
> work today.   (Shame on me, running w/out protection for two weeks -- what
> was I thinking!)   I was just curious if anyone knew of a Trojan that
camps
> an HTTP server on TCP/5000.  Perhaps I caught something...
>
> --Eric
>

By Date By Thread

Current thread:

Re: Microsoft Windows ME and TCP/5000, (continued)
- Re: Microsoft Windows ME and TCP/5000 Bock, John (ISS San Francisco) (Mar 02)
  - Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
    - Re: Microsoft Windows ME and TCP/5000 Eric Fagan (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Vachon, Scott (Mar 05)
  - Re: Microsoft Windows ME and TCP/5000 Magus Ba'al (Mar 09)
- Re: Microsoft Windows ME and TCP/5000 Timothy Lyons (Mar 06)