Re: Microsoft Windows ME and TCP/5000

[Eric Fagan <fagan () LVCM COM>]

Hello,
  Here's a follow-up on the TCP/5000 webserver found on WinME.  I just
wanted to thank all that wrote in -- I received several very good
suggestions, including the one below.  ZA indicated the owner was
SSDPSRV.EXE, or the Simple Service Discover Protocol, which is used for
Universal Plug and Play.  Apparently there is a URL exchange during the
discovery process of networked Plug & Play devices.  XML information is then
passed between the Plug & Play devices -- explaining the presence of a
non-standard webserver.  It seems that anyone running WinME with Universal
Plug & Play enabled will likely have this process running.

I find it unusual that Microsoft did not add a description of port 5000 in
the SERVICES file, like:

ssdp    1900/udp    # SSDP
ssdp    5000/tcp    # SSDP web-XML parser for Universal Plug & Play

That would eliminate a lot of confusion....  Anyway, here's a non-technical
description of what's going on:

http://support.microsoft.com/support/kb/articles/Q262/4/58.ASP


----- Original Message -----
From: "Joe Matusiewicz" <joem () NIST GOV>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Friday, March 02, 2001 9:25 AM
Subject: Re: Microsoft Windows ME and TCP/5000


> Why not load ZoneAlarm on it and reboot your machine?  When programs try
to
> load and act as a server, ZA will ask for your permission.  When you see
> the prompt:
>
> "Do you want 3V1L h4x0R pR0g to act as a server?"
>
> This should identify it.  Answer no, then seek and destroy.  ZA is free
and
> you got nothing to lose.  I've used to discover spyware secretly bundled
> with other programs that I installed.
>
>
> -- Joe
>
>
> At 08:08 PM 3/1/01, Bock, John (ISS San Francisco) wrote:
> > Use fport:
> > http://packetstorm.securify.com/NT/FPortNG.zip
> >
> > or if you've got 69 bucks TCPViewpro:
> >
> > http://www.winternals.com/products/monitoringtools/tcpviewpro.shtml
> >
> > and figure out what process owns that port.
> >
> > -john
> >
> > ----- Original Message -----
> > From: "Eric Fagan" <fagan () LVCM COM>
> > To: <INCIDENTS () SECURITYFOCUS COM>
> > Sent: Wednesday, February 28, 2001 4:55 PM
> > Subject: Microsoft Windows ME and TCP/5000
> >
> > > Hello,
> > >   I've seen only a handful of unanswered questions when researching
this
> > > subject on Google, but I've found what seems to be a webserver running
on
> > > port 5000 of my WinME box.  A "netstat -a" shows UDP/1900 listening
and
> > > TCP/5000 listening.  ICS is not installed, F/P Sharing is not enabled.
> > >
> > > On this box I have installed Halflife & QIII Arena off OEM CD's, and
> > > LimeWire (a gnutella type client).  The Limewire has since been
removed
> > and
> > > no references seem to appear for it the registry.  Telnetting to port
5000
> > > and trying a properly formatted http GET command (or using a web
browser)
> > > returns HTTP 1.1/400 Bad Request.  I've seen references indicated
UDP/1900
> > > is normal for ME (something to do with IP multicast & PnP detection),
but
> > > TCP/5000?  I'm bringing home my Network Associates VirusScan software
from
> > > work today.   (Shame on me, running w/out protection for two weeks --
what
> > > was I thinking!)   I was just curious if anyone knew of a Trojan that
> > camps
> > > an HTTP server on TCP/5000.  Perhaps I caught something...
> > >
> > > --Eric