Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 5000 Traffic Continues; Fragmented tcp/16191 Update SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 5000 Traffic Continues; Fragmented tcp/16191 Update
Port 5000 Traffic Continues. As reported in yesterday's diary, two worms (Bobax and Kibuv.B) are responsible for the increase in tcp/5000 traffic. Microsoft Windows systems that are currently patched are not vulnerable to either worm.

Fragmented tcp/16191 Update Additional information on the report of fragmented IP traffic towards port 16191 in the May 14 diary ( ) arrived in the mailbag today. James tells us,

"I have seen this before inside my network, and recently am seeing it again, including a couple of hits from outside now. Using Cisco v2 IDS sensors on my internal network I always see these as a set of 3 signatures:

1203 - IP fragment overwrite - Data is overwritten

1204 - IP fragment missing initial fragment

1208 - IP fragment incomplete dgram

The Cisco IDS usually indicates whether a port is a TCP or UDP port, but in this case the protocol field of the alert simply says IP."

Handler Ed Skodis explains, "That's likely because the higher-layer protocol (TCP or UDP) header is typically included in the first fragment, including the port number itself. Therefore, because you are getting:

1204 - IP fragment missing initial fragment

You aren't seeing the TCP/UDP stuff, so the IDS labels it merely as IP."

Additional details from Cisco on packet fragmentation is online at

Marcus H. Sachs

Handler on Duty


301 Posts
ISC Handler
May 19th 2004

Sign Up for Free or Log In to start participating in the conversation!