Security Incidents mailing list archives
Re: I am popular today...
From: epadin () WAGWEB COM (Ed Padin)
Date: Wed, 3 May 2000 18:38:33 -0400
If anyone wants a good way to detect napster usage (as well as lots of other shenanigans) you might try using snort IDS. http://myweb.clark.net/~roesch/ "A Lightweight Intrusion Detection System" Jim Forster wrote some snort rules to report on Napster usage. http://snort.rapidnet.com/ Here are the Napster Rules that show ports and content. You can adapt this to your own IDS. It triggers for me whenever I go on napster (I only use napster for research purposes ;^> ) alert tcp any any <> any 6699 (msg:"Napster Client Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 8888 (msg:"Napster 8888 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 7777 (msg:"Napster 7777 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 6666 (msg:"Napster 6666 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 5555 (msg:"Napster 5555 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 4444 (msg:"Napster 4444 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 8875 (msg:"Napster Server Login"; flags:PA; content:"anon () napster com";)
-----Original Message----- From: Rod MacPherson [mailto:rmacphe () COMPTON NET] Sent: Tuesday, May 02, 2000 4:06 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: I am popular today... Napster runs on a (semi)randomly chosen port. It could very well be 6688 on one of your machines. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Dirk Koopman Sent: Saturday, April 29, 2000 7:51 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: I am popular today... If that is what is running on port 6688 then probably yes, although very close questioning of the users seem to indicate that napster "isn't being used". There does seem to be a awful lot of activity between one of my machines and the various icmp addresses on port 6688. I thought napster ran on a different port? On 29-Apr-2000 Ryan Sweat wrote:You or one of your machines have Napster running ? This is thelikelycause for the ping requests. Napster's clients ping thehost when making aquery to find the response time of that host. Ryan ----- Original Message ----- From: "Dirk Koopman" <djk () TOBIT CO UK> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Friday, April 28, 2000 3:45 AM Subject: I am popular today...Are ALL these people _really_ interested in the responsetime of my classC?Or is this some kind of of (pointless) DoS? Has one ofhidden M$ machinesbeen acquired by some trojan? Are you one of these? ---------------------------- cuthere --------------------------------------Apr 27 16:44:24 gate iplog[10085]: ICMP: echo fromcgowave-33-48.cgocable.net(8 bytes) Apr 27 16:46:23 gate iplog[10085]: ICMP: echo fromi0567.vwr.wanadoo.nl (8bytes) Apr 27 17:42:49 gate iplog[10085]: ICMP: echo from csvr4068.st-poelten.cso.net (8 bytes) Apr 27 18:07:01 gate iplog[10085]: ICMP: echo fromA5a74.pppool.de (8bytes)-- Dirk-Jan Koopman, Tobit Computer Co Ltd At the source of every error which is blamed on the computer you will find at least two human errors, including the error of blaming it on the computer.
Current thread:
- Re: I am popular today... Dirk Koopman (Apr 29)
- Re: I am popular today... Rod MacPherson (May 02)
- <Possible follow-ups>
- Re: I am popular today... Dirk Koopman (Apr 29)
- Re: I am popular today... Ed Padin (May 03)