[get complete service list]
Port Information
Protocol Service Name
tcp sasser-ftp [trojan] Sasser Worm FTP Server
udp sgi-esphttp SGI ESP HTTP
tcp sgi-esphttp SGI ESP HTTP
Top IPs Scanning
Today Yesterday (18) (13) (9) (13) (8) (9) (6) (8) (5) (7) (4) (7) (4) (6) (3) (5) (3) (5) (3) (4)
Port diary mentions
Increase in TCP 5554 activity; Fragmented IP traffic towards port 16191; Please patch your SymantecNorton firewall products
Samba - Buffer Overrun, HP Remote Command Execution, Top 15 Worms, Hosts File, SasserDabber Activity
User Comments
Submitted By Date
Robert Burnett 2004-07-20 17:36:11
Recent spikes in traffic on this port are most likely caused by the Dabber worm, which spreads itself by connecting to the Sasser FTP server (port 5554) and exploiting a buffer overflow vulnerability in the FTP server.
Alan E Brain 2004-05-04 16:16:24
Used by sasser worm to spread itself. Sasser spreads by scanning IP addresses for access via TCP Port 445 looking for vulnerable systems, according to Symantec. When it finds an unpatched Windows XP or Windows 2000 computer, Sasser.A adds the file "avserve2.exe"="%Windir%avserve2.exe" in the registry, tries to block attempts to shut down or reboot the infected computer (by using the AbortSystemShutdown application programming interface) and then begins scanning other systems via an FTP server on TCP Port 5554 seeking to spread itself,
CVE Links
CVE # Description