Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: TCP/5000 - The OTHER UPNP Port - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
TCP/5000 - The OTHER UPNP Port

We've all read a lot about the scans and exploits of UPNP (Universal Plug N Play), on UDP port 1900.  Jens, one of our readers, pinged us this morning with a question about an uptick he was seeing in TCP/5000, which is also listed as UPNP - who knew?  (not me, that's who!)

After a quick check, I'm seeing an uptick in attack activity on TCP/5000 starting in mid-February, both in our dshield database and on various customer firewalls.  Our reader was seeing his attacks come from an IP allocated to China, but I'm seeing more attacks sourced from the US.

Does anyone have any of these attack packets captured, preferably more than just SYN packets? 

Or if anyone has a sample of the attack software or any malware involved, we'd of course love a sample of that as well !

Rob VandenBrink

Rob VandenBrink

579 Posts
ISC Handler
Mar 5th 2014
Captured a load of packets here. By far and away most are Synology NAS exploits, based on a vulnerability announced towards the end of of last year. CGI exploits based on default HTTP server listening on hyatt at port. Mentioned this on Twitter earlier in the week as well.
Edited -- double post.

7 Posts
Port TCP/5000 may be listed as UPnP but it's also the default HTTP administration interface of any Synology equipment.
Since the discovery of a couple of remotely exploitable critical vulnerabilities this year, I'm not surprised it gets targeted.

7 Posts

Sign Up for Free or Log In to start participating in the conversation!