Jump to content


Port 5000 activity spikes = 2 worms...

  • Please log in to reply
1 reply to this topic

#1 AplusWebMaster



  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 May 2004 - 11:34 PM

FYI...from the Internet Storm Center:

- http://isc.sans.org/...date=2004-05-17
Updated May 18th 2004 03:45 UTC
"Two very different worms are currently responsible for the rapid increase in port 5000 scans. The first, 'Bobax', uses port 5000 to identify Windows XP systems. Windows XP uses port 5000 (TCP) for 'Universal Plug and Play (UPnP)'. By default, UPnP is enabled. The second worm, 'Kibuv', will use an old vulnerability in Windows XP's UPnP implementation to exploit systems. This vulnerability was one of the first discovered in Windows XP and patches have been available..."
>>> http://isc.sans.org/...s.php?port=5000

Edited by apluswebmaster, 19 May 2004 - 11:07 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...

#2 wawadave


    Advanced Member

  • Full Member
  • PipPipPip
  • 126 posts

Posted 19 May 2004 - 03:13 PM

you might want to d/l the program from grc for closeing upnp
this will help fix the problem.
Putting quotes around posts does not protect you from copy right infringement.</b>
<img src="http://img54.photobu...r_wawadave.gif" border="0" alt="IPB Image" />

Member of UNITE
Support SpywareInfo Forum - click the button