Re: Weird scan on port 1214

[woods () weird com (Greg A. Woods)]

[ On Thursday, June 28, 2001 at 22:17:54 (+0300), Vangelis Haniotakis wrote: ]
> Subject: Weird scan on port 1214
>
>  Now, port 1214 is reserved for what is called  "Intelligent
> Communications Protocol" on tcp and KAZAA on udp. I don't know what the
> first one is, I do know that Kazaa is a file sharing thingy though.

KAZAA is really just HTTP on a "private" port.  You can connect to it
with any HTTP browser and get more or less meaningful results.

>  The small packet count reminds one of a vulnerability scan. Has there
> been any vulnerability known re: kazaa (the most probable target)?

It's more likely they're just scanning for KAZAA servers.

One of my clients received a copyright infringement notification from
the Motion Picture Association Worldwide Anti-Piracy group the other day
stating that such a client was running on a customer's machine and that
it contained copyrighted materials.

Whether your "scans" are from the likes of the MPA, or just from those
trying to find files, or if there's a vulnerability in KAZAA and
someone's trying to find targets, is anyone's guess at this point.

What source address(es) did those connections appear to have come from?

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>     <woods () robohack ca>
Planix, Inc. <woods () planix com>;   Secrets of the Weird <woods () weird com>


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com