Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: TCP/UDP Port Activity - SANS Internet Storm Center TCP/UDP Port Activity

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[show ascii data]


Port Information
Protocol Service Name
tcp sasser-ftp [trojan] Sasser Worm FTP Server
udp sgi-esphttp SGI ESP HTTP
tcp sgi-esphttp SGI ESP HTTP
[get complete service list]
User Comments
Submitted By Date
Robert Burnett 2004-07-20 17:36:11
Recent spikes in traffic on this port are most likely caused by the Dabber worm, which spreads itself by connecting to the Sasser FTP server (port 5554) and exploiting a buffer overflow vulnerability in the FTP server.
Alan E Brain 2004-05-04 16:16:24
Used by sasser worm to spread itself. Sasser spreads by scanning IP addresses for access via TCP Port 445 looking for vulnerable systems, according to Symantec. When it finds an unpatched Windows XP or Windows 2000 computer, Sasser.A adds the file "avserve2.exe"="%Windir%avserve2.exe" in the registry, tries to block attempts to shut down or reboot the infected computer (by using the AbortSystemShutdown application programming interface) and then begins scanning other systems via an FTP server on TCP Port 5554 seeking to spread itself,
Add a comment
CVE Links
CVE # Description