Port 5000 traffic and snort signature

Published: 2014-03-06
Last Updated: 2014-03-06 15:59:09 UTC
by Mark Baggett (Version: 1)
2 comment(s)

ISC Reader James Lay has captured the mysterious port 5000 traffic and provided us with a copy of the packets and a snort signature.   Thanks James!  Your awesome!

The traffic is scanning TCP port 5000.  After establishing a connection it sends "GET /webman/info.cgi?host='" 

This appears to be a scan for Synology DiskStation Manager installations that are vulnerable to a remote code exection exploit published in October 2013.   There is currently a metasploit module available for the vulnerability.

Thanks to James for the following snort signature.

alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SERVER-WEBAPP Synology DiskStation Manager Reflected XSS attempt over UPnP"; flow:to_server,established; content:"/webman/info.cgi|3f|host="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, reference:url,www.scip.ch/en/?vuldb.10255; classtype:attempted-admin; sid:10000130; rev:1;)

Follow me on Twitter: @markbaggett

There are a couple of chances to sign up for SANS Python programming course.  The course starts from the very beginning, assuming you don't know anything about programming or Python.  The course is self paced learning and we cover the essentials before we start building tools you can use in your next security engagement.   You will love it!!    Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27.

http://www.sans.org/event/northern-virginia-2014/course/python-for-pen-testers

http://www.sans.org/event/sansfire-2014/course/python-for-pen-testers

 

2 comment(s)

Comments

* you're
[quote=comment#30049]* you're[/quote]

On the same theme. * execution

To the 5000 target port incident. Instead of flooding the net with thousands of requests, causing suspicion wouldn't the logical path be target the registered users? I have already voiced my opinion to Synology. To date.. I have seen over 1500 when I would usually see 5 or so.

http://www.synology.com/en-global/company/contact_us

CVE-2013-6955 and CVE-2013-6987 <==

https://www.pcr-online.biz/news/read/synology-issues-fixes-for-dsm-vulnerability/033277 Reference date of article.

Another Kudo for James Lay.

Diary Archives