There was some discussion in online newsletters, online mass-media news outlets and on the vuln-dev list discussing how Kazaa and Morpheus show the contents of the shared folder to the world. Entering (IP address):1214 in a web browser will list the contents of the shared directory and allow you to
download files from that directory. What appears to be happening is that a whole bunch of 'curious' folk are hunting for systems that the user has unwittingly/ignorantly (read: new user) shared their 'C' or root drive. Scanning for open 1214 ports, then checking the shared directory via a browser
will show if an entire drive has been shared. This will then lead the way to compromising the system.

Cheers,
Brad

> -----Original Message-----
> From: k
> [mailto:tattoomanscott.culp.should.read.1984.while.ondrugz.com]
> Sent: Tuesday, February 12, 2002 10:50 AM
> To: incidentssecurityfocus.com
> Subject: morpheus/kazaa probes/scans
>
>
>
> during the past week, i have noticed a *very* substantial and alarming
> number of unsolicited morpheus/kazaa scans/probes (port 1214). before
> last week, the targeted systems, which reside on roadrunner cablemodem
> networks, were receiving an average of 40 separate
> probes/day, with less
> than 5 morpheus/kazaa probes/day. currently, those same
> systems have been
> getting over 300 morpheus/kazaa probes/day for the past 5 days. the
> elevated probe numbers have been relatively constant. no file sharing
> software is or ever has been run (or installed) on any of the systems.
> ALL unsolicited incoming traffic is filtered/blocked/dropped.
> NO public
> services (www, ftp, etc) have ever been run on any of the
> systems. the
> probes have been coming from a wide variety of systems all
> over the world,
> including .edu and .gov.
>
> i have not seen any substantial increase in similar scans on corporate
> networks that i monitor.
>
> anybody else seen an increase in morpheus/kazaa scans, or
> have any insight
> into the reasons (new vuln scanning tool, new morpheus/kazaa exploits,
> etc)?
>
> thanks,
> k
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]