OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Troy D. Strum (tstrumsalter.com)
Date: Tue Feb 12 2002 - 09:51:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi folks.

    I think I might be able to share some insight on this.

    This program...

    http://www.dddi.nl/~costar/shadowFT/README

    ...scans networks for Kazaa and Morpheus' port 1214. If found, it indexes
    all the files is finds. Kazaa and Morpheus have httpd servers running that
    are set to the equivalent to Apache's "auto indexing" (
    http://httpd.apache.org/docs/mod/mod_autoindex.html ). This means anyone
    with a web browser can see all the files the program is set to share with a
    web browser. There are no directories set up, so a request for "GET /" will
    show all shared files via an HTML page with file size and a clickable link
    to DL the file.

    It's trivial to write a script to automate the scanning and retrieval of
    these directory listings and to index them. This is what shadowTF is doing.

    The process is scan for 1214, pull a http://ipaddress:1214 and then parse
    the HTML output and stick it in a database and put a front-end on it.

    From their page:
    ----------------------------
    Everyone SHOULD SCAN, even if it's just a little bit.
    ----------------------------

    Of course this could be used to check for idiots with their entire HD
    shared!

    Cheers.

    - Troy

    ----- Original Message -----
    From: "BRAD GRIFFIN" <b.griffincqu.edu.au>
    To: <incidentssecurityfocus.com>
    Sent: Monday, February 11, 2002 7:04 PM
    Subject: RE: morpheus/kazaa probes/scans

    There was some discussion in online newsletters, online mass-media news
    outlets and on the vuln-dev list discussing how Kazaa and Morpheus show the
    contents of the shared folder to the world. Entering (IP address):1214 in a
    web browser will list the contents of the shared directory and allow you to
    download files from that directory. What appears to be happening is that a
    whole bunch of 'curious' folk are hunting for systems that the user has
    unwittingly/ignorantly (read: new user) shared their 'C' or root drive.
    Scanning for open 1214 ports, then checking the shared directory via a
    browser
    will show if an entire drive has been shared. This will then lead the way to
    compromising the system.

    Cheers,
    Brad

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com