Security Incidents: Re: Microsoft Windows ME and TCP/5000

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Microsoft Windows ME and TCP/5000

From: Jeff Pults <j_pults () YAHOO COM>
Date: Mon, 5 Mar 2001 09:43:26 -0800

I found "Backweb Server" running on my "New" HP
Pavillion and determined it was "factory" installed
for some kind of automatic updates.  HP tech support
didn't know anything about it.  You could install some
tcp port monitor like TDImon to determine what app is
running on the port.

Cheers,
Jeff
--- "V. L-M" <derDoc () GMX DE> wrote:

----- Original Message -----
From: "Todd A. Garrison" <tgarris () FRAMELOSS ORG>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, March 01, 2001 7:02 PM
Subject: Re: Microsoft Windows ME and TCP/5000

Quite commonly when you setup a multi-player FPS

type game they will

install a web-server that allows you to change

maps, kick players, etc

on the game server.  I know that this is the case

with Unreal

Tournament.  As for Quake3 I am pretty sure it

doesn't do this as it has

the ability to allow control of these game aspects

via the game itself.

You may want to check the docs for Halflife to see

if this is true.

Your right, UT installs a webserver on port 80 if
explicitly told so,
however you can change the port.
Youre right Q3a doesnt and the same is right for HL.
If you want to control
HL through a webserver you have to install some kind
of mod but normally
thats only feasible for a dedicated server, because
when ingame you can
change everything by means of the console(same goes
for UT, BTW). Even the
dedicated one can controled locally.
As for the port 5000, I also have ME running and
never seen any port 5000
listening. What about ICQ? ICQ tends to sometimes
open funny ports for
listening.

Good luck!

Eric Fagan wrote:


Hello,
  I've seen only a handful of unanswered

questions when researching this

subject on Google, but I've found what seems to

be a webserver running
on

port 5000 of my WinME box.  A "netstat -a" shows

UDP/1900 listening and

TCP/5000 listening.  ICS is not installed, F/P

Sharing is not enabled.


On this box I have installed Halflife & QIII

Arena off OEM CD's, and

LimeWire (a gnutella type client).  The Limewire

has since been removed
and

no references seem to appear for it the

registry.  Telnetting to port
5000

and trying a properly formatted http GET command

(or using a web
browser)

returns HTTP 1.1/400 Bad Request.  I've seen

references indicated
UDP/1900

is normal for ME (something to do with IP

multicast & PnP detection),
but

TCP/5000?  I'm bringing home my Network

Associates VirusScan software
from

work today.   (Shame on me, running w/out

protection for two weeks --
what

was I thinking!)   I was just curious if anyone

knew of a Trojan that
camps

an HTTP server on TCP/5000.  Perhaps I caught

something...


--Eric


--
Todd Garrison
tgarris () frameloss org
PGP KEY ID: 0x007AEAE4



__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/

By Date By Thread

Current thread:

Microsoft Windows ME and TCP/5000 Eric Fagan (Feb 28)
- Re: Microsoft Windows ME and TCP/5000 George Bakos (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 Todd A. Garrison (Mar 01)
  - Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
    - Re: Microsoft Windows ME and TCP/5000 Jeff Pults (Mar 05)
    - Apache logs John A. Kotulak (Mar 05)
    - Re: Apache logs Pedro Ortale Neto (Mar 05)
- <Possible follow-ups>
- Re: Microsoft Windows ME and TCP/5000 Bock, John (ISS San Francisco) (Mar 02)
  - Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
    - Re: Microsoft Windows ME and TCP/5000 Eric Fagan (Mar 05)