Port 5000 traffic and snort signature

Port 5000 traffic and snort signature
ISC Reader James Lay has captured the mysterious port 5000 traffic and provided us with a copy of the packets and a snort signature. Thanks James! Your awesome! The traffic is scanning TCP port 5000. After establishing a connection it sends "GET /webman/info.cgi?host='" This appears to be a scan for Synology DiskStation Manager installations that are vulnerable to a remote code exection exploit published in October 2013. There is currently a metasploit module available for the vulnerability. Thanks to James for the following snort signature. alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SERVER-WEBAPP Synology DiskStation Manager Reflected XSS attempt over UPnP"; flow:to_server,established; content:"/webman/info.cgi\|3f\|host="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, reference:url,www.scip.ch/en/?vuldb.10255; classtype:attempted-admin; sid:10000130; rev:1;) Follow me on Twitter: @markbaggett There are a couple of chances to sign up for SANS Python programming course. The course starts from the very beginning, assuming you don't know anything about programming or Python. The course is self paced learning and we cover the essentials before we start building tools you can use in your next security engagement. You will love it!! Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27. http://www.sans.org/event/northern-virginia-2014/course/python-for-pen-testers http://www.sans.org/event/sansfire-2014/course/python-for-pen-testers	Mark 81 Posts ISC Handler Mar 6th 2014
Subscribe	Mar 6th 2014 6 years ago
* you're	Anonymous
Quote	Mar 6th 2014 6 years ago
Quoting Anonymous:* you're On the same theme. * execution To the 5000 target port incident. Instead of flooding the net with thousands of requests, causing suspicion wouldn't the logical path be target the registered users? I have already voiced my opinion to Synology. To date.. I have seen over 1500 when I would usually see 5 or so. http://www.synology.com/en-global/company/contact_us CVE-2013-6955 and CVE-2013-6987 <== https://www.pcr-online.biz/news/read/synology-issues-fixes-for-dsm-vulnerability/033277 Reference date of article. Another Kudo for James Lay.	ICI2Eye 52 Posts
Quote	Mar 6th 2014 6 years ago

ISC Reader James Lay has captured the mysterious port 5000 traffic and provided us with a copy of the packets and a snort signature. Thanks James! Your awesome!

The traffic is scanning TCP port 5000. After establishing a connection it sends "GET /webman/info.cgi?host='"

This appears to be a scan for Synology DiskStation Manager installations that are vulnerable to a remote code exection exploit published in October 2013. There is currently a metasploit module available for the vulnerability.

Thanks to James for the following snort signature.

alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SERVER-WEBAPP Synology DiskStation Manager Reflected XSS attempt over UPnP"; flow:to_server,established; content:"/webman/info.cgi|3f|host="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, reference:url,www.scip.ch/en/?vuldb.10255; classtype:attempted-admin; sid:10000130; rev:1;)

Follow me on Twitter: @markbaggett

There are a couple of chances to sign up for SANS Python programming course. The course starts from the very beginning, assuming you don't know anything about programming or Python. The course is self paced learning and we cover the essentials before we start building tools you can use in your next security engagement. You will love it!! Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27.

http://www.sans.org/event/northern-virginia-2014/course/python-for-pen-testers

http://www.sans.org/event/sansfire-2014/course/python-for-pen-testers

Mark

81 Posts
ISC Handler

Mar 6th 2014

* you're

Anonymous

Quoting Anonymous:* you're

On the same theme. * execution

To the 5000 target port incident. Instead of flooding the net with thousands of requests, causing suspicion wouldn't the logical path be target the registered users? I have already voiced my opinion to Synology. To date.. I have seen over 1500 when I would usually see 5 or so.

http://www.synology.com/en-global/company/contact_us

CVE-2013-6955 and CVE-2013-6987 <==

https://www.pcr-online.biz/news/read/synology-issues-fixes-for-dsm-vulnerability/033277 Reference date of article.

Another Kudo for James Lay.

ICI2Eye

52 Posts