|Port TCP 5000 is also used by Apple AirPlay when mirroring the iPad display to other devices in addition to AirPlay's normal ports of 7000, 7100 and range of 49152-50000 plus all UDP ports
|MV Spoken Word - Hotline Server rks.ath.cx 220.127.116.11
I'm not certain this is malware, but I will issue a caution about "downloading" information from Host name: rks.ath.cx, IP address: 18.104.22.168, via Hotline Client Software 1.8.5, Amongst the information resident there is freedom related info, which seems all well and good. However, the required software to download from that site, claiming to be Adware, evidenced behaviour which apeared to me to indicate that the combination of this software and this server may be spyware, as it created a whole lot of both local disk accesses and internet traffic while all its' status indicators said it was not doing anything I'd asked it to do, i.e. I merely connected to the server. My guess is it scans your volumes and uploads the data it finds. I also believe it installs spyware software independent of the application itself, as it modified the System file on my Macintosh system. I'd love to be proven wrong about this, but I'm not going to invest any more energy into further testing of this situation, which is sad, as they seem to have some really good information there.
I retried this 2003-04-19 and 2003-04-20 with a fresh copy of the later version 1.9 of Hotline Client Software and was unable to connect to the server at all... then ran nmap on the server and found TCP port 5000 open. The documentation about this server suggests both "mvsw" and "mvsp" as the UserName and/or Password; and no permutation of those got a connection.
|Ahmad M. Alanazy
|as Kurt Seifried page said
CVE-2001-0876 CVE-2001-0877 CAN-2001-0721 CAN-2005-0833 related to port 5000/tcp
and some old US-CERT alerts that relate the port to W32/Bobax and W32/Kibuv network scans
|UDP ports 5000-5009 seem to be used for Yahoo Voice Chat. Firewalling 5000 will disrupt yahoo peer-to-peer voice messaging.
TCP port 5000 is also used by Universal plug and play. WindowsME ships with a program called "SSDPSRV.EXE", or Simple Service Discover Protocol Server, which is used for Universal Plug and Play. This process listens on TCP 5000 for XML exchange.
|This can be the reason ...
Bobax Trojan Analysis - port 5000
The scanning thread works as follows: An HTTP listener is set up on a random numbered port between 2000 and 62000 128 threads are started to scan for vulnerable hosts: 32 threads will scan the same /16 subnet as the local host 32 threads will scan the same /8 subnet as the local host 64 threads will scan randomly chosen Internet addresses The scan is actually performed on TCP port 5000 - if the port is found open this is usually indicative of a Windows XP host. The trojan will then connect to port 445 and execute the LSASS exploit against the vulnerable host. The trojan file will be served from the internal HTTP process and the target host will be infected and under the control of the spammer. It is unclear why the trojan author chose to only infect Windows XP systems. It could be for simplicity - the exploit will crash a system if the target OS and patchlevel does not match certain offsets in the exploit code, so limiting the target platform means you only have to send one offset. It could also be the spammer prefers to operate using home-user systems rather than corporate servers which would be more likely to be running Windows 2000. The internal workings of the code appear similar to spam trojans we have seen before - most recently in the "Minit" trojan. This could be an indication that they at least share some of the same code if they are not written by the same author.
|Looks like it's a worm. You can get the details here...
|Ragnarok Online servers accept client connections from port 5000 so if you have clients who use that game you will have to have outbound 5000 traffic available you can safely block inbound 5000 traffic.
|fan of grc.com
|UPnP (Universal Plug and Play) and SSDP (Simple Service Discovery Protocol) are opening Port 5000 by default in WinXP and Windows 98/98SE/Me as well.
to close: deaktivate SSDP under Services.
well explaining Text:
UnPlug n' Pray by Steve Gibson:
|Nero burner version 6.0.23 from www.nero.com seems to broadcast to this port. It seems it advertises it's Net server (?), but you never really know.