Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Port 5000 (tcp/udp) Attack Activity - Internet Security | DShield Port 5000 (tcp/udp) Attack Activity

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port Information
Protocol Service Name
tcp BackDoorSetup [trojan] Back Door Setup
udp commplex-main commplex-main
tcp Blazer5 [trojan] Blazer5
tcp upnp Universal Plug and Play
tcp SocketsdesTroie [trojan] Sockets des Troie
tcp Ra1d [trojan] Ra1d
tcp pitou Pitou P2 CAM Emulator
tcp BioNetLite [trojan] BioNet Lite
tcp fics Free Internet Chess Server
tcp commplex-main commplex-main
tcp Bubbel [trojan] Bubbel
tcp ICKiller [trojan] ICKiller
[get complete service list]
Port diary mentions
Call for packets dest 5000 or source 6000
User Comments
Submitted By Date
2014-08-09 19:49:28
Used by Synology's disk station web based admin interface (DSM). Also used to spread malware like Synolocker
Matthew Procter 2012-11-21 13:21:45
Port TCP 5000 is also used by Apple AirPlay when mirroring the iPad display to other devices in addition to AirPlay's normal ports of 7000, 7100 and range of 49152-50000 plus all UDP ports
Angela Kahealani 2009-10-04 18:45:22
MV Spoken Word - Hotline Server I'm not certain this is malware, but I will issue a caution about "downloading" information from Host name:, IP address:, via Hotline Client Software 1.8.5, Amongst the information resident there is freedom related info, which seems all well and good. However, the required software to download from that site, claiming to be Adware, evidenced behaviour which apeared to me to indicate that the combination of this software and this server may be spyware, as it created a whole lot of both local disk accesses and internet traffic while all its' status indicators said it was not doing anything I'd asked it to do, i.e. I merely connected to the server. My guess is it scans your volumes and uploads the data it finds. I also believe it installs spyware software independent of the application itself, as it modified the System file on my Macintosh system. I'd love to be proven wrong about this, but I'm not going to invest any more energy into further testing of this situation, which is sad, as they seem to have some really good information there. I retried this 2003-04-19 and 2003-04-20 with a fresh copy of the later version 1.9 of Hotline Client Software and was unable to connect to the server at all... then ran nmap on the server and found TCP port 5000 open. The documentation about this server suggests both "mvsw" and "mvsp" as the UserName and/or Password; and no permutation of those got a connection.
Ahmad M. Alanazy 2007-01-08 20:50:24
as Kurt Seifried page said CVE-2001-0876 CVE-2001-0877 CAN-2001-0721 CAN-2005-0833 related to port 5000/tcp and some old US-CERT alerts that relate the port to W32/Bobax and W32/Kibuv network scans
Justn Singh 2004-06-27 02:36:12
UDP ports 5000-5009 seem to be used for Yahoo Voice Chat. Firewalling 5000 will disrupt yahoo peer-to-peer voice messaging. TCP port 5000 is also used by Universal plug and play. WindowsME ships with a program called "SSDPSRV.EXE", or Simple Service Discover Protocol Server, which is used for Universal Plug and Play. This process listens on TCP 5000 for XML exchange.
Sandeep Sengupta 2004-05-18 21:04:19
This can be the reason ... Bobax Trojan Analysis - port 5000 The scanning thread works as follows: An HTTP listener is set up on a random numbered port between 2000 and 62000 128 threads are started to scan for vulnerable hosts: 32 threads will scan the same /16 subnet as the local host 32 threads will scan the same /8 subnet as the local host 64 threads will scan randomly chosen Internet addresses The scan is actually performed on TCP port 5000 - if the port is found open this is usually indicative of a Windows XP host. The trojan will then connect to port 445 and execute the LSASS exploit against the vulnerable host. The trojan file will be served from the internal HTTP process and the target host will be infected and under the control of the spammer. It is unclear why the trojan author chose to only infect Windows XP systems. It could be for simplicity - the exploit will crash a system if the target OS and patchlevel does not match certain offsets in the exploit code, so limiting the target platform means you only have to send one offset. It could also be the spammer prefers to operate using home-user systems rather than corporate servers which would be more likely to be running Windows 2000. The internal workings of the code appear similar to spam trojans we have seen before - most recently in the "Minit" trojan. This could be an indication that they at least share some of the same code if they are not written by the same author.
Mike Wisniewski 2004-05-18 04:11:00
Looks like it's a worm. You can get the details here...
Brian 2004-05-04 00:31:06
Ragnarok Online servers accept client connections from port 5000 so if you have clients who use that game you will have to have outbound 5000 traffic available you can safely block inbound 5000 traffic.
fan of 2004-03-07 19:41:32
UPnP (Universal Plug and Play) and SSDP (Simple Service Discovery Protocol) are opening Port 5000 by default in WinXP and Windows 98/98SE/Me as well. to close: deaktivate SSDP under Services. well explaining Text: UnPlug n' Pray by Steve Gibson: german link:
jokmi 2004-01-30 19:54:41
Nero burner version 6.0.23 from seems to broadcast to this port. It seems it advertises it's Net server (?), but you never really know.
Add a comment
CVE Links
CVE # Description