Port 1900/5000 connection attempts

From: cambriaat_private
Date: Thu Mar 21 2002 - 20:28:50 PST

  • Next message: Russell Fulton: "different, nimda like, probes" 

    In the last couple of days I've started seeing connection attempts for ports 1900 and 5000.  I'm wondering if this is related to the UPNP vuln discovered last December by eEye Digital Security...

(http://www.eeye.com/html/Research/Advisories/AD20011220.html).

I have just started seeing these in the last week.  Is there a known exploit for this now?  Or is there an innocent explanation?  None of the connecting IP addresses are anywhere close to my own net address.  One is a register.com nameserver.  It appears to be an attempt to connect to specific machines rather than a network scan.


Mar 21 20:35:54 ws1 178: Mar 21 20:35:54: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(3074) -> x.x.x.33(1900), 1 packet
Mar 21 20:39:22 ws1 179: Mar 21 20:39:22: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(1384) -> x.x.x.33(1900), 1 packet
Mar 21 20:41:04 ws1 180: Mar 21 20:41:04: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(4495) -> x.x.x.33(5000), 1 packet
Mar 21 20:41:30 ws1 181: Mar 21 20:41:30: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(3074) -> x.x.x.33(1900), 1 packet
Mar 21 20:44:30 ws1 182: Mar 21 20:44:30: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(1384) -> x.x.x.33(1900), 1 packet
Mar 21 20:46:30 ws1 183: Mar 21 20:46:30: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(4495) -> x.x.x.33(5000), 1 packet
Mar 21 21:23:18 ws1 184: Mar 21 21:23:18: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(3450) -> x.x.x.33(1900), 1 packet
Mar 21 21:27:40 ws1 185: Mar 21 21:27:40: %SEC-6-IPACCESSLOGP: list 101 denied tcp 66.188.151.113(1025) -> x.x.x.33(1900), 1 packet
Mar 21 21:28:31 ws1 186: Mar 21 21:28:31: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(3450) -> x.x.x.33(1900), 1 packet
Mar 21 21:33:31 ws1 187: Mar 21 21:33:31: %SEC-6-IPACCESSLOGP: list 101 denied tcp 66.188.151.113(1025) -> x.x.x.33(1900), 2 packets
Mar 22 01:08:08 ws1 189: Mar 22 01:08:08: %SEC-6-IPACCESSLOGP: list 101 denied udp 216.21.234.88(53) -> x.x.x.76(1900), 1 packet
Mar 22 01:13:38 ws1 190: Mar 22 01:13:38: %SEC-6-IPACCESSLOGP: list 101 denied udp 216.21.234.88(53) -> x.x.x.76(1900), 2 packets





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 08:33:43 PST