Security Incidents mailing list archives
RE: morpheus/kazaa probes/scans
From: BRAD GRIFFIN <b.griffin () cqu edu au>
Date: Tue, 12 Feb 2002 09:04:26 +1000
There was some discussion in online newsletters, online mass-media news outlets and on the vuln-dev list discussing how Kazaa and Morpheus show the contents of the shared folder to the world. Entering (IP address):1214 in a web browser will list the contents of the shared directory and allow you to download files from that directory. What appears to be happening is that a whole bunch of 'curious' folk are hunting for systems that the user has unwittingly/ignorantly (read: new user) shared their 'C' or root drive. Scanning for open 1214 ports, then checking the shared directory via a browser will show if an entire drive has been shared. This will then lead the way to compromising the system. Cheers, Brad
-----Original Message----- From: k [mailto:tattooman () scott culp should read 1984 while ondrugz com] Sent: Tuesday, February 12, 2002 10:50 AM To: incidents () securityfocus com Subject: morpheus/kazaa probes/scans during the past week, i have noticed a *very* substantial and alarming number of unsolicited morpheus/kazaa scans/probes (port 1214). before last week, the targeted systems, which reside on roadrunner cablemodem networks, were receiving an average of 40 separate probes/day, with less than 5 morpheus/kazaa probes/day. currently, those same systems have been getting over 300 morpheus/kazaa probes/day for the past 5 days. the elevated probe numbers have been relatively constant. no file sharing software is or ever has been run (or installed) on any of the systems. ALL unsolicited incoming traffic is filtered/blocked/dropped. NO public services (www, ftp, etc) have ever been run on any of the systems. the probes have been coming from a wide variety of systems all over the world, including .edu and .gov. i have not seen any substantial increase in similar scans on corporate networks that i monitor. anybody else seen an increase in morpheus/kazaa scans, or have any insight into the reasons (new vuln scanning tool, new morpheus/kazaa exploits, etc)? thanks, k -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- morpheus/kazaa probes/scans k (Feb 11)
- Re: morpheus/kazaa probes/scans Raistlin (Feb 11)
- Re: morpheus/kazaa probes/scans Mike Damm (Feb 11)
- Re: morpheus/kazaa probes/scans Russell Fulton (Feb 11)
- <Possible follow-ups>
- RE: morpheus/kazaa probes/scans BRAD GRIFFIN (Feb 11)
- Re: morpheus/kazaa probes/scans Troy D. Strum (Feb 12)