Weird scan on port 1214

[Vangelis Haniotakis <haniotak () ucnet uoc gr>]

 Hi.

 I today installed a log watcher for our router logs - they show all
incoming and outgoing connections, complete with source and dest ports,
timestamps, packet count, and size - no IP flags or protocol info,
though. :(

 So, the watcher alerts us if any single host tries a large (defined as
> 3000) number of connections within, say, half an hour. Most normal hosts
don't go over about 1,000 connection in this time frame. Seems a decent
heuristic for a first check for evildoers, it won't pick up "slow" scans
and the like but it's a start.

 Which leads us to later tonight, when the watcher starts throwing some
alerts. Seems like one of our hosts (a win2k machine if we believe nmap)
is connecting to lots of other hosts, on port 1214. Approx. 25,000
connections to distinct, random-looking hosts, for that single port
number, with a packet count of 3-4 packets each connection.

 This has been going on over a time frame of 3 hours  now, and no signs
of slowing down. Wish I could pull this thing off the net myself -
unfortunately this will have to wait till morning :(

 Now, port 1214 is reserved for what is called  "Intelligent
Communications Protocol" on tcp and KAZAA on udp. I don't know what the
first one is, I do know that Kazaa is a file sharing thingy though.

 The small packet count reminds one of a vulnerability scan. Has there
been any vulnerability known re: kazaa (the most probable target)?


 Thank you all in advance for your time, and sorry for making such a
lengthy post.



--
Vangelis Haniotakis - Network & Communications Centre, University of Crete



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com