Security Incidents mailing list archives

Re: Microsoft Windows ME and TCP/5000

From: "V. L-M" <derDoc () gmx de>
Date: Fri, 2 Mar 2001 15:15:15 +0100

----- Original Message -----
From: "Todd A. Garrison" <tgarris () FRAMELOSS ORG>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, March 01, 2001 7:02 PM
Subject: Re: Microsoft Windows ME and TCP/5000

Quite commonly when you setup a multi-player FPS type game they will
install a web-server that allows you to change maps, kick players, etc
on the game server.  I know that this is the case with Unreal
Tournament.  As for Quake3 I am pretty sure it doesn't do this as it has
the ability to allow control of these game aspects via the game itself.
You may want to check the docs for Halflife to see if this is true.


Your right, UT installs a webserver on port 80 if explicitly told so,
however you can change the port.
Youre right Q3a doesnt and the same is right for HL. If you want to control
HL through a webserver you have to install some kind of mod but normally
thats only feasible for a dedicated server, because when ingame you can
change everything by means of the console(same goes for UT, BTW). Even the
dedicated one can controled locally.
As for the port 5000, I also have ME running and never seen any port 5000
listening. What about ICQ? ICQ tends to sometimes open funny ports for
listening.

Good luck!

Eric Fagan wrote:


Hello,
  I've seen only a handful of unanswered questions when researching this
subject on Google, but I've found what seems to be a webserver running

on

port 5000 of my WinME box.  A "netstat -a" shows UDP/1900 listening and
TCP/5000 listening.  ICS is not installed, F/P Sharing is not enabled.

On this box I have installed Halflife & QIII Arena off OEM CD's, and
LimeWire (a gnutella type client).  The Limewire has since been removed

and

no references seem to appear for it the registry.  Telnetting to port

and trying a properly formatted http GET command (or using a web

browser)

returns HTTP 1.1/400 Bad Request.  I've seen references indicated

UDP/1900

is normal for ME (something to do with IP multicast & PnP detection),

but

TCP/5000?  I'm bringing home my Network Associates VirusScan software

from

work today.   (Shame on me, running w/out protection for two weeks --

what

was I thinking!)   I was just curious if anyone knew of a Trojan that

camps

an HTTP server on TCP/5000.  Perhaps I caught something...

--Eric


--
Todd Garrison
tgarris () frameloss org
PGP KEY ID: 0x007AEAE4

Current thread:

Microsoft Windows ME and TCP/5000 Eric Fagan (Feb 28)
- Re: Microsoft Windows ME and TCP/5000 George Bakos (Mar 01)
- Re: Microsoft Windows ME and TCP/5000 Todd A. Garrison (Mar 01)
  - Re: Microsoft Windows ME and TCP/5000 V. L-M (Mar 02)
    - Re: Microsoft Windows ME and TCP/5000 Jeff Pults (Mar 05)
    - Apache logs John A. Kotulak (Mar 05)
    - Re: Apache logs Pedro Ortale Neto (Mar 05)
- <Possible follow-ups>
- Re: Microsoft Windows ME and TCP/5000 Bock, John (ISS San Francisco) (Mar 02)
  - Re: Microsoft Windows ME and TCP/5000 Joe Matusiewicz (Mar 02)
    - Re: Microsoft Windows ME and TCP/5000 Eric Fagan (Mar 05)
- Re: Microsoft Windows ME and TCP/5000 Vachon, Scott (Mar 05)
  - Re: Microsoft Windows ME and TCP/5000 Magus Ba'al (Mar 09)
- Re: Microsoft Windows ME and TCP/5000 Timothy Lyons (Mar 06)