[Dshield] Rise in port 5000 probes..

Leeuwen, Allan van allan.vanleeuwen at orangemail.nl
Fri Aug 26 07:03:17 GMT 2005

I think port 5000 scans are used by some bot families to see the
difference between a W2K and an XP machine ... so they can fire off the
correct exploit (without rebooting the target machine)

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Fergie (Paul
Sent: Tuesday, August 23, 2005 10:29 PM
To: list at lists.dshield.org
Subject: [Dshield] Rise in port 5000 probes..

Interestingly, stats at myNetWatchman is showing that the number of
probes targeted at port 5000 are rising:


Note: This is _not_ the (now infamous) Microsoft PnP exploit
which  made the rounds last week, but rather:

http://www.iana.org/assignments/port-numbers :

#commplex-main	5000/tcp
#commplex-main	5000/udp

http://grc.com/port_5000.htm :


The Universal Plug N' Play (UPnP) system operates over two ports:
UDP/1900 and TCP/5000.

UDP protocol is used over Port 1900 because the UDP protocol supports a
"broadcast semantics" which allows a single UPnP announcement message to
be received and heard by all devices listening on the same sub-network.
TCP, being inherently a point-to-point connection-oriented protocol,
does not support message broadcasts.

When UPnP devices wish to announce themselves, or "shout out" to find
out what other UPnP devices are hanging around on the network, they
issue a UDP message aimed at port 1900 of the special IP address
[]. This special "multicast" broadcast address has been
set aside for UPnP devices and will be received by all of them listening
on UDP port 1900.

After such an announcement broadcast is made, any devices wishing to
reply or respond to the broadcaster initiate a TCP connection to the
broadcaster's TCP port 5000. The devices then engage in a dialog to meet
their needs.

As you can see, UPnP enabled devices will be opening and listening on
UDP port 1900 and TCP port 5000. 


- ferg

"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg at netzero.net or fergdawg at sbcglobal.net
 ferg's tech blog: http://fergdawg.blogspot.com/

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:


De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft genomen om virussen in deze email of attachments te voorkomen, dient u ook zelf na te gaan of virussen aanwezig zijn aangezien Orange niet aansprakelijk is voor computervirussen die veroorzaakt zijn door deze email.

The information contained in this message may be confidential and is intended to be only for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Although Orange has taken steps to ensure that this email and attachments are free from any virus, you do need to verify the possibility of their existence as Orange can take no responsibility for any computer virus which might be transferred by way of this email.


More information about the list mailing list