RE: morpheus/kazaa probes/scans

[BRAD GRIFFIN <b.griffin () cqu edu au>]

There was some discussion in online newsletters, online mass-media news outlets and on the vuln-dev list discussing how 
Kazaa and Morpheus show the contents of the shared folder to the world. Entering (IP address):1214  in a web browser 
will list the contents of the shared directory and allow you to
download files from that directory. What appears to be happening is that a whole bunch of 'curious' folk are hunting 
for systems that the user has unwittingly/ignorantly (read: new user) shared their 'C' or root drive. Scanning for open 
1214 ports, then checking the shared directory via a browser
will show if an entire drive has been shared. This will then lead the way to compromising the system. 

Cheers,
Brad

> -----Original Message-----
> From: k 
> [mailto:tattooman () scott culp should read 1984 while ondrugz com]
> Sent: Tuesday, February 12, 2002 10:50 AM
> To: incidents () securityfocus com
> Subject: morpheus/kazaa probes/scans
>
>
>
> during the past week, i have noticed a *very* substantial and alarming
> number of unsolicited morpheus/kazaa scans/probes (port 1214).  before
> last week, the targeted systems, which reside on roadrunner cablemodem
> networks, were receiving an average of 40 separate 
> probes/day, with less
> than 5 morpheus/kazaa probes/day.  currently, those same 
> systems have been
> getting over 300 morpheus/kazaa probes/day for the past 5 days.  the
> elevated probe numbers have been relatively constant.  no file sharing
> software is or ever has been run (or installed) on any of the systems.
> ALL unsolicited incoming traffic is filtered/blocked/dropped. 
>  NO public
> services (www, ftp, etc) have ever been run on any of the 
> systems.  the
> probes have been coming from a wide variety of systems all 
> over the world,
> including .edu and .gov.
>
> i have not seen any substantial increase in similar scans on corporate
> networks that i monitor.
>
> anybody else seen an increase in morpheus/kazaa scans, or 
> have any insight
> into the reasons (new vuln scanning tool, new morpheus/kazaa exploits,
> etc)?
>
> thanks,
> k
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com