[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Paul Schmehl pauls at ...1311...
Tue May 18 09:35:00 EDT 2004

--On Tuesday, May 18, 2004 10:08:12 AM -0400 "Miner, Jonathan W (CSC) (US 
SSA)" <jonathan.w.miner at ...2476...> wrote:

> Lots of Port 5000 scans since yesterday... From reading the diary at
> www.incidents.org, it looks like the results of Bobax and Kibuv worms.
> I've written a simple rule that logs all my port 5000 connections.
> Comments?
First of all, it's not a scan.  It's a buffer overflow exploit.  Secondly, 
it's unlikely that it's Bobax/Kibuv, because you would be seeing more ports 
involved in the activity (Kibuv attacks about eight different weaknesses on 
several different ports.  These 5000 probes appear to be "standalone".

I posted a hexdump to the incidents list the other day.  You might want to 
look at that.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list