Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

TCP/5000 - The OTHER UPNP Port

Published: 2014-03-05
Last Updated: 2014-03-05 22:07:39 UTC
by Rob VandenBrink (Version: 1)
3 comment(s)

We've all read a lot about the scans and exploits of UPNP (Universal Plug N Play), on UDP port 1900.  Jens, one of our readers, pinged us this morning with a question about an uptick he was seeing in TCP/5000, which is also listed as UPNP - who knew?  (not me, that's who!)

After a quick check, I'm seeing an uptick in attack activity on TCP/5000 starting in mid-February, both in our dshield database and on various customer firewalls.  Our reader was seeing his attacks come from an IP allocated to China, but I'm seeing more attacks sourced from the US.

https://isc.sans.edu/port.html?startdate=2014-02-03&enddate=2014-03-05&port=5000&yname=sources&y2name=targets


Does anyone have any of these attack packets captured, preferably more than just SYN packets? 

Or if anyone has a sample of the attack software or any malware involved, we'd of course love a sample of that as well !

===============
Rob VandenBrink
Metafore

Keywords: UPNP
3 comment(s)
Diary Archives