Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Port 5000

  • From: James Reid
  • Date: Tue May 18 10:41:12 2004



Since it is completing a TCP handshake, the IP addresses are
very likely to be the source of the scan. ISN generation on
every modern OS is sufficiently random to prevent opportunistic
TCP spoofing from something like a worm.

While there are probably some exceptions to this statement,
there are too few to be significant.



On Tue, 18 May 2004, Doug White wrote:

:Now that we know it's Bobax scanning http://isc.sans.org/diary.php do we
:know if the source IP's are legit or spoofed?
:
:======================================
:Our Anti-spam solution works!!
:http://www.clickdoug.com/mailfilter.cfm
:For hosting solutions http://www.clickdoug.com
:http://www.forta.com/cf/isp/isp.cfm?isp_id=1069
:======================================
:
:
:----- Original Message -----
:From: "Geo." <geoincidents@nls.net>
:To: <nanog@merit.edu>
:Sent: Tuesday, May 18, 2004 8:15 AM
:Subject: Port 5000
:
:
::
:: We are seeing many customers here probing port 5000 across the network. It
:: appears to be some new worm or something but I've had no luck yet in
:: figuring out what it is except to say norton AV detects nothing yet.
::
:: Anyone have a clue?
::
:: http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cab
:: c9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query
::
:: the jump in traffic is obvious.
::
:: Geo.
::
::
::
:

-- 
James Reid, CISSP




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.