The utility that I think you are referring is XPANTISPY. Google for it, it's out there. Port 5000 can and will be held open by the SSDP service also. I am seeing this in a lot of machines. Even ones that have XPANTISPY installed. This just started after the latest round of updates.
Hope this helps -----Original Message----- From: Adam Newhard [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 9:16 AM To: [EMAIL PROTECTED] Subject: Re: Port 5000 and Windows XP Side note, at one point in time, while working on a bunch of XP home and professional machines, going to services.msc and disabling upnp didn't always work. Since you don't really need it or want it, you should fully remove it from the system. In other words, after disabling it and rebooting, port scan the machine. There is/was a utility that'd remove upnp completely, but i forget where it is (i found it on google). Being a *nix head, I can't tell you exactly how to completely remove it, but i'm sure someone here can. adam ---------------------------------------------------- Adam Newhard Microstrain, Inc. If vegetarians eat vegetables, watch out for humanitarians ----- Original Message ----- From: "dos cerveza" <[EMAIL PROTECTED]> To: "matt willson" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, August 12, 2003 1:27 PM Subject: RE: Port 5000 and Windows XP > Port 5000 TCP is used together with port 1900 UDP for UPnP (universal plug and play). It is open on a default Windows XP install. > If you don't use it (and you probably don't) you can easily disable the mentioned ports from listening by opening 'services.msc' from a run box and stop the folowwing services: > 'Universal Plug and Play Device Host' & > 'SSDP Discovery Service'. Be sure to set them to 'disabled' or 'manual' to prevent them from starting up on a reboot. > http://www.grc.com has a nice article about this too. > > Sincerely > Dos > > I had reason to look at a Windows XP box and discovered port 5000 open > > on > > it. Subsequent research has shown that this is normal (albeit stupid). > > > > However, when I connect to port 5000, I get an "HTTP/1.1 400 Bad > > Request". Also, fport /ap shows port 5000 open, but will not associate > > an > > application with it. Am I overly paranoid or has this box been > > compromised? > > > > Thanks > > > -- > __________________________________________________________ > Sign-up for your own personalized E-mail at Mail.com > http://www.mail.com/?sr=signup > > CareerBuilder.com has over 400,000 jobs. Be smarter about your job search > http://corp.mail.com/careers > > > ------------------------------------------------------------------------ -- - > ------------------------------------------------------------------------ -- -- > ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------