Security Incidents mailing list archives
Re: Weird scan on port 1214
From: woods () weird com (Greg A. Woods)
Date: Fri, 29 Jun 2001 12:39:37 -0400 (EDT)
[ On Thursday, June 28, 2001 at 22:17:54 (+0300), Vangelis Haniotakis wrote: ]
Subject: Weird scan on port 1214 Now, port 1214 is reserved for what is called "Intelligent Communications Protocol" on tcp and KAZAA on udp. I don't know what the first one is, I do know that Kazaa is a file sharing thingy though.
KAZAA is really just HTTP on a "private" port. You can connect to it with any HTTP browser and get more or less meaningful results.
The small packet count reminds one of a vulnerability scan. Has there been any vulnerability known re: kazaa (the most probable target)?
It's more likely they're just scanning for KAZAA servers. One of my clients received a copyright infringement notification from the Motion Picture Association Worldwide Anti-Piracy group the other day stating that such a client was running on a customer's machine and that it contained copyrighted materials. Whether your "scans" are from the likes of the MPA, or just from those trying to find files, or if there's a vulnerability in KAZAA and someone's trying to find targets, is anyone's guess at this point. What source address(es) did those connections appear to have come from? -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <woods () robohack ca> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Weird scan on port 1214 Vangelis Haniotakis (Jun 29)
- Re: Weird scan on port 1214 Nathan W. Labadie (Jun 29)
- Re: Weird scan on port 1214 Greg A. Woods (Jun 30)
- Re: Weird scan on port 1214 Vangelis Haniotakis (Jun 30)
- <Possible follow-ups>
- Re: Weird scan on port 1214 Matt Scarborough (Jun 30)