Port 5000

James Reid jreid at vapour.net
Tue May 18 14:16:33 UTC 2004



Since it is completing a TCP handshake, the IP addresses are
very likely to be the source of the scan. ISN generation on
every modern OS is sufficiently random to prevent opportunistic
TCP spoofing from something like a worm.

While there are probably some exceptions to this statement,
there are too few to be significant.



On Tue, 18 May 2004, Doug White wrote:

:Now that we know it's Bobax scanning http://isc.sans.org/diary.php do we
:know if the source IP's are legit or spoofed?
:
:======================================
:Our Anti-spam solution works!!
:http://www.clickdoug.com/mailfilter.cfm
:For hosting solutions http://www.clickdoug.com
:http://www.forta.com/cf/isp/isp.cfm?isp_id=1069
:======================================
:
:
:----- Original Message -----
:From: "Geo." <geoincidents at nls.net>
:To: <nanog at merit.edu>
:Sent: Tuesday, May 18, 2004 8:15 AM
:Subject: Port 5000
:
:
::
:: We are seeing many customers here probing port 5000 across the network. It
:: appears to be some new worm or something but I've had no luck yet in
:: figuring out what it is except to say norton AV detects nothing yet.
::
:: Anyone have a clue?
::
:: http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cab
:: c9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query
::
:: the jump in traffic is obvious.
::
:: Geo.
::
::
::
:

-- 
James Reid, CISSP



More information about the NANOG mailing list