Security Incidents mailing list archives
RE: TCP port 5000 syn increasing
From: Jose Nazario <jose () monkey org>
Date: Mon, 17 May 2004 22:43:52 -0400 (EDT)
using the Internet Motion Sensor project hosted by umich, we've been monitoring global network spaces and looking at the same rise in TCP port 5000 traffic. however, the data doesn't support the theory of kibuv.b entirely. according to the kibuv.b description at symantec [1], we should be seeing a similar rise in traffic on ports 80, 135, 445, 5554 (sasser backdoor), 6667 (bagle.a), 2745 (bagle.g), all rising in concert with TCP port 5000. we're not seeing the sam rise and not seeing traffic from the same sources on these ports, in addition to kibuv.b ports like 7955 and 420. in short, while it may be kibuv.b, the evidence doesn't entirely support that theory. we should be seeing traffic rise against multiple ports used by the worm ... and we're not. we are, however, seeing exploit traffic on 5000/TCP rise over the past day or two. [the IMS project is due to be announced publically at the upcoming nanog presentation in san francisco.] notes: 1. http://securityresponse.symantec.com/avcenter/venc/data/w32.kibuv.b.html ________ jose nazario, ph.d. jose () monkey org http://monkey.org/~jose/ http://infosecdaily.net/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- TCP port 5000 syn increasing Rohny Jotton (May 17)
- Re: TCP port 5000 syn increasing Andreas (May 17)
- Re: TCP port 5000 syn increasing ANDREW STREULE (May 17)
- Re: TCP port 5000 syn increasing Paul Schmehl (May 17)
- Re: TCP port 5000 syn increasing Noel Cuillandre (May 17)
- Re: TCP port 5000 syn increasing Mike Barushok (May 18)
- Re: TCP port 5000 syn increasing ANDREW STREULE (May 17)
- Re: TCP port 5000 syn increasing Andreas (May 17)
- <Possible follow-ups>
- RE: TCP port 5000 syn increasing Terence Runge (May 17)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 18)
- RE: TCP port 5000 syn increasing Frank Knobbe (May 18)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 18)
- Re: TCP port 5000 syn increasing Andreas (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- RE: TCP port 5000 syn increasing Jose Nazario (May 18)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 19)