Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: Call for packets dest 5000 or source 6000 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Call for packets dest 5000 or source 6000

There are two events I'm interested in following up at the moment.  A few reports mentioned that scans to destination port 5000 seem to be popular at the moment. (https://isc.sans.edu/port.html?port=5000).  So if you have a few spare packets that would be great.  In this instance I'm not looking for log records only pcaps.  

Another reader mentioned scans from source port 6000 going to numerous ports on their infrastructure, but from different IP addresses. eg.  IP address A  scanning target 1089-1099.  IP address B scanning target 1100-1110, etc.  If you have log records or packets for trafic from source port 6000 to multiple ports or IP addresses in your environment I'd be interested in taking a look.  

We've seen both of these previously, but certainly like to see if it is the same or something different.  

Thanks

Mark H 

Mark

392 Posts
ISC Handler
The port 5000 stuff still looks like what Mark talked about 2 weeks ago

isc.sans.edu/diary/Port+5000+traffic+and+snort+signature/…
Jim

400 Posts Posts
ISC Handler
Sorry, I felt compelled to register and post. I don't have any packet captures for you, but I can tell you this. I was doing some recon for a friend because he wanted to see how exposed his network was to the public internet. I can tell you that he is running IBM Synology DSM's on multiple ports. He's got 4 separate instances on the same server and they default to this:

5000:http
5001:https

6000:http
6001:https

7000:http
7001:https

8000:http
8001:https

Within the past two weeks, I have seen 3+ exploits for these synology DSM's running version 4.3 on particular builds. One of the exploits is an authenticated priv esc:

http://www.exploit-db.com/exploits/28243/
http://osvdb.org/show/osvdb/97169

Another one is an unauthenticated shell upload:
http://www.rapid7.com/db/modules/exploit/linux/http/synology_dsm_sliceupload_exec_noauth

And one that just occurred is a Blind SQL injection:
http://packetstormsecurity.com/files/125701/synologydsm-sql.txt

Even though the oldest exploits are from october of 2013, seems like there are alot of scans going on to test for these vulnerabilities from metasploit

Cheers,
Rich
gRanger

2 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!