dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1018
share rss forum feed


Camaro
Question everything
Premium
join:2008-04-05
Westfield, MA
kudos:1
Reviews:
·Comcast

UPnP Port

Click for full size
Click for full size
Hello all. Over the last week or so I have noticed a huge increase of people whacking away at that port, normally I would chalk this up as normal traffic but my firewall averages 200-300 hits a day, now I am hovering around a 1000. The only remote thought I had was the miscreants are getting ready for attacks on XP. So was wondering if any else has noticed this? Or am I just a worry wart.

daveinpoway
Premium
join:2006-07-03
Poway, CA
kudos:2

When you say that the firewall normally gets "200-300 hits a day", is this only on the UPnP port or on all of the ports? My hardware firewall (home version of Sophos UTM/Astaro Security Gateway) reports at least 2000 rules violations per day (on all of the ports combined).

In your case, the important thing is whether your firewall is successfully blocking all of this traffic. If it is, there is no need to worry- you are safe.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to Camaro

said by Camaro:

Over the last week or so I have noticed a huge increase of people whacking away at that port ... So was wondering if any else has noticed this?

About 23 probes to port 5000 in the last 16 hours. Firewall is blocking them, so no worries.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


Camaro
Question everything
Premium
join:2008-04-05
Westfield, MA
kudos:1
Reviews:
·Comcast
reply to daveinpoway

Oh yea it's blocking everything, I just wanted to throw out if people have noticed a huge uptick on port 5000. Normally it's spread out between all the ports, but now roughly over half my hits are on that port. I run a IDS and it has a few specific alerts relating to that port so. And when I trace the ip's 90% are coming from China.
But like I said I might be to much of a sketch ball.


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

1 recommendation

reply to Camaro

A good place to check on this stuff is

»isc.sans.edu/port.html?port=5000

if you set the dates to 1/1/2014 you will see that probes on this port have increased significantly. Probably a new vulnerability somewhere.

And if you read the next link you can see what it is.

»isc.sans.edu/diary/Port+5000+tra···re/17771
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to Camaro

Since February I have seen a noticeable increase in port 5000 hits in my perimeter firewall (up to ~100 per day as opposed to only a handful in the past), but even so, ports 23, 3389, and 5900 are still the most popular (non-existent) targets on my network.
           
Of course, the firewall is blocking all of them with no problems, so...
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.



Camaro
Question everything
Premium
join:2008-04-05
Westfield, MA
kudos:1
reply to TheWiseGuy

Thanks for that website, lot's of geeky stuff to read. Thanks for everyone's input.


Frodo

join:2006-05-05
kudos:1

1 edit
reply to Camaro

I'm getting a bunch also. I noticed it before. So decided to set up a listener (netcat) to see if I could figure out what is going on. Most of the connections aren't sending anything, probably because netcat isn't handling the port 5000 protocol correctly, but I have seen two of these:

GET /webman/info.cgi?host= HTTP/1.0
Host: 99.y.xxx.xxx:5000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
Seems it is something about " /webman/info.cgi?host=".
99.y.xxx.xxx is my ip.

-Edit: Search on " /webman/info.cgi?host=" yields:
»isc.sans.edu/forums/diary/Port+5···re/17771


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB
reply to NormanS

Strange ..... mine the only "DOS attack" as internet background radiation in view weeks & the rest just usual intranet logs !!!