Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: TCP port 5000 syn increasing
From: ANDREW STREULE <brother_wolf () btopenworld com>
Date: Mon, 17 May 2004 20:24:44 +0100 (BST)
on my honeypot a port 5000 event is almost always
followed by 1 or 2 nbt smb events.

the smb is like
SMB:1 [neg protocol] 
  Protocols:
    PC NETWORK PROGRAM 1.0
    LANMAN1.0
    Windows for Workgroups 3.1a
    LM1.2X002
    LANMAN2.1
    NT LM 0.12

SMB:2 [session setup X] 

SMB:4 [tree con X] 
    {\\81.x.x.x\ipc$[00]?????}

SMB:5 [nt createX] 
    Flags:16 Access:2019F Createop:40 Imp:2
    {\lsarpc[00]}

SMB:6 [trans] 
    name: {[10]\PIPE\[00 00]}


all my p5000 events are from 81.x.x.x

~Andy

---------------------------------------------------------------------------
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]