|Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555tcp)
|Default port for the Monyog software or I think Idera is renaming it "SQL Diagnostics for MySQL".
|Port 5555 is used by the Android Debug Bridge. A feature that is usually turned off. But it has been discovered that some (in particular chinese) Android phones ship with it turned on. Also, during jailbreak, the ADB feature is sometimes turned on.
|Legitimate use of this port: Sun xFire servers (x4100, 4140, 4500, 4540) may use this port for out-of-band / ILOM remote control of the server with latest revisions of the ILOM firmware. However, this traffic would be sporadic and on an as-needed basis (hopefully people aren't using ILOM to log into servers for day-to-day work). One would also see HTTPS (443) traffic from the same IP's, to load the ILOM services pages and invoke the remote control functions.
|MS Dynamics CRM uses this port by default
|We are seeing heavy target traffic on this port. Many of our machines are infected with bling.exe which is listed as non-malicious spyware, but it is acting like backdoor software from what I can see. Infection is seen with the files bling.exe and o. in the system32 directory on windows. Activity is TCP from an incrementing port on the infected PC to a fixed port of 5555 on the network target/master.
|Other programs that use port 5555: freeciv HP Omniback
|Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1905.