Last Updated: 2014-03-26 15:20:18 UTC
by Johannes Ullrich (Version: 1)
We have written a couple diaries about port 5000 traffic, and received plenty of packet captures. But we still need to get all the pieces together to see what the "end game" is with these attacks. Here is what I found so far from our honeypot:
- a lot of the port 5000 traffic is spoofed.
I do receive "SYNs" from an IP, and my honeypot responds with a SYN-ACK, but then I get a reset back with a very different TTL.
- the once that connect, send a couple different requests (a.b.c.d is the address of the honey pot)