Call for packets dest 5000 or source 6000
There are two events I'm interested in following up at the moment. A few reports mentioned that scans to destination port 5000 seem to be popular at the moment. (https://isc.sans.edu/port.html?port=5000). So if you have a few spare packets that would be great. In this instance I'm not looking for log records only pcaps.
Another reader mentioned scans from source port 6000 going to numerous ports on their infrastructure, but from different IP addresses. eg. IP address A scanning target 1089-1099. IP address B scanning target 1100-1110, etc. If you have log records or packets for trafic from source port 6000 to multiple ports or IP addresses in your environment I'd be interested in taking a look.
We've seen both of these previously, but certainly like to see if it is the same or something different.
Thanks
Mark H
Comments
https://isc.sans.edu/diary/Port+5000+traffic+and+snort+signature/17771
Anonymous
Mar 18th 2014
1 decade ago
5000:http
5001:https
6000:http
6001:https
7000:http
7001:https
8000:http
8001:https
Within the past two weeks, I have seen 3+ exploits for these synology DSM's running version 4.3 on particular builds. One of the exploits is an authenticated priv esc:
http://www.exploit-db.com/exploits/28243/
http://osvdb.org/show/osvdb/97169
Another one is an unauthenticated shell upload:
http://www.rapid7.com/db/modules/exploit/linux/http/synology_dsm_sliceupload_exec_noauth
And one that just occurred is a Blind SQL injection:
http://packetstormsecurity.com/files/125701/synologydsm-sql.txt
Even though the oldest exploits are from october of 2013, seems like there are alot of scans going on to test for these vulnerabilities from metasploit
Cheers,
Rich
Anonymous
Mar 24th 2014
1 decade ago