Security Incidents mailing list archives

Re: morpheus/kazaa probes/scans

From: Russell Fulton <R.FULTON () auckland ac nz>
Date: 12 Feb 2002 10:39:53 +1300

On Tue, 2002-02-12 at 13:49, k wrote:


during the past week, i have noticed a *very* substantial and alarming
number of unsolicited morpheus/kazaa scans/probes (port 1214).  before

[ snip ]


anybody else seen an increase in morpheus/kazaa scans,


Over the last few weeks I have seen a large number of systens probing
appearently random addresses in our network for port 1214.

Here is a typical report from my detector:


We saw ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] talk to 38
ports/addresses(s)
on Thu 27 Dec 2001 at 08:27 (UTC)

-- Thu 27 Dec 2001 at 20:27 (NZDT)

Connection rate approx 2 per hour

130.216.2.38.tcp - 1214               130.216.149.222.tcp - 1214        
130.216.15.125.tcp - 1214             130.216.165.169.tcp - 1214        
130.216.35.13.tcp - 1214              130.216.168.31.tcp - 1214         
130.216.39.12.tcp - 1214              130.216.168.231.tcp - 1214        
130.216.44.192.tcp - 1214             130.216.169.94.tcp - 1214         
130.216.74.201.tcp - 1214             130.216.171.34.tcp - 1214         
130.216.86.122.tcp - 1214             130.216.185.71.tcp - 1214         
130.216.89.53.tcp - 1214              130.216.185.150.tcp - 1214        
130.216.91.114.tcp - 1214             130.216.193.217.tcp - 1214        
130.216.96.89.tcp - 1214              130.216.198.65.tcp - 1214         
130.216.99.208.tcp - 1214             130.216.199.135.tcp - 1214        
130.216.110.231.tcp - 1214            130.216.200.227.tcp - 1214        
130.216.112.119.tcp - 1214            130.216.216.149.tcp - 1214        
130.216.117.218.tcp - 1214            130.216.222.76.tcp - 1214         
130.216.123.152.tcp - 1214            130.216.223.249.tcp - 1214        
130.216.139.71.tcp - 1214             130.216.227.153.tcp - 1214        
130.216.141.205.tcp - 1214            130.216.228.105.tcp - 1214        
130.216.143.181.tcp - 1214            130.216.231.134.tcp - 1214        
130.216.148.187.tcp - 1214            130.216.240.35.tcp - 1214
2001-12-28-01:25:12 tcp 193.251.43.238:3363 -> 130.216.110.231:1214   S_
2001-12-28-02:22:39 tcp 193.251.43.238:2261 ->  130.216.44.192:1214   S_
2001-12-28-02:25:27 tcp 193.251.43.238:3198 ->  130.216.2.38:1214     S_
2001-12-28-03:12:52 tcp 193.251.43.238:3027 ->  130.216.240.35:1214   S_
2001-12-28-03:19:41 tcp 193.251.43.238:1292 ->  130.216.86.122:1214   S_
2001-12-28-03:25:13 tcp 193.251.43.238:3122 -> 130.216.143.181:1214   S_
2001-12-28-03:52:34 tcp 193.251.43.238:4068 -> 130.216.123.152:1214   S_
2001-12-28-04:13:48 tcp 193.251.43.238:3026 -> 130.216.141.205:1214   S_
2001-12-28-04:30:44 tcp 193.251.43.238:4631 ->  130.216.169.94:1214   S_
2001-12-28-05:42:19 tcp 193.251.43.238:4203 -> 130.216.227.153:1214   S_
2001-12-28-06:54:31 tcp 193.251.43.238:4150 -> 130.216.228.105:1214   S_

This is typical of random probing...

This system was active over several days:
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238]  1009476049      2001.12.28.07.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238]  1009508168      2001.12.28.15.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238]  1009540400      2001.12.29.00.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238]  1009572750      2001.12.29.09.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238]  1009607636      2001.12.29.19.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]  1009855687      2002.01.01.16.00        Network_scan[tcp-1214]  
read
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]  1009932115      2002.01.02.13.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]  1009983734      2002.01.03.04.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]  1010034798      2002.01.03.18.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]  1010101843      2002.01.04.12.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]  1010189905      2002.01.05.13.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]  1010260585      2002.01.06.08.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]  1010332399      2002.01.07.04.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]  1010401233      2002.01.08.00.00        Network_scan[tcp-1214]  
new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]  1010471955      2002.01.08.19.00        Network_scan[tcp-1214]  
new

IP address changed in the middle -- New dhcp lease after machine was
turned off over new year?

I do not believe that this sort of behaviour is normal for
Morpheus/Kaaza

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

morpheus/kazaa probes/scans k (Feb 11)
- Re: morpheus/kazaa probes/scans Raistlin (Feb 11)
- Re: morpheus/kazaa probes/scans Mike Damm (Feb 11)
- Re: morpheus/kazaa probes/scans Russell Fulton (Feb 11)
- <Possible follow-ups>
- RE: morpheus/kazaa probes/scans BRAD GRIFFIN (Feb 11)
  - Re: morpheus/kazaa probes/scans Troy D. Strum (Feb 12)