Call for packets dest 5000 or source 6000

Published: 2014-03-18
Last Updated: 2014-03-18 11:16:23 UTC
by Mark Hofman (Version: 1)
2 comment(s)

There are two events I'm interested in following up at the moment.  A few reports mentioned that scans to destination port 5000 seem to be popular at the moment. (  So if you have a few spare packets that would be great.  In this instance I'm not looking for log records only pcaps.  

Another reader mentioned scans from source port 6000 going to numerous ports on their infrastructure, but from different IP addresses. eg.  IP address A  scanning target 1089-1099.  IP address B scanning target 1100-1110, etc.  If you have log records or packets for trafic from source port 6000 to multiple ports or IP addresses in your environment I'd be interested in taking a look.  

We've seen both of these previously, but certainly like to see if it is the same or something different.  


Mark H 

Keywords: packets
2 comment(s)


The port 5000 stuff still looks like what Mark talked about 2 weeks ago
Sorry, I felt compelled to register and post. I don't have any packet captures for you, but I can tell you this. I was doing some recon for a friend because he wanted to see how exposed his network was to the public internet. I can tell you that he is running IBM Synology DSM's on multiple ports. He's got 4 separate instances on the same server and they default to this:





Within the past two weeks, I have seen 3+ exploits for these synology DSM's running version 4.3 on particular builds. One of the exploits is an authenticated priv esc:

Another one is an unauthenticated shell upload:

And one that just occurred is a Blind SQL injection:

Even though the oldest exploits are from october of 2013, seems like there are alot of scans going on to test for these vulnerabilities from metasploit


Diary Archives