Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: new trojan?

From: Rob Keown <Keown () MACDIRECT COM>
Date: Wed, 21 Nov 2001 11:44:14 -0500
Look like KaZaa scans...here is something from Greg Woods from back in the
summer:

[ On Thursday, June 28, 2001 at 22:17:54 (+0300), Vangelis Haniotakis wrote:
]

Subject: Weird scan on port 1214

 Now, port 1214 is reserved for what is called  "Intelligent
Communications Protocol" on tcp and KAZAA on udp. I don't know what the
first one is, I do know that Kazaa is a file sharing thingy though.


KAZAA is really just HTTP on a "private" port.  You can connect to it
with any HTTP browser and get more or less meaningful results.


 The small packet count reminds one of a vulnerability scan. Has there
been any vulnerability known re: kazaa (the most probable target)?


It's more likely they're just scanning for KAZAA servers.

One of my clients received a copyright infringement notification from
the Motion Picture Association Worldwide Anti-Piracy group the other day
stating that such a client was running on a customer's machine and that
it contained copyrighted materials.

Whether your "scans" are from the likes of the MPA, or just from those
trying to find files, or if there's a vulnerability in KAZAA and
someone's trying to find targets, is anyone's guess at this point.

What source address(es) did those connections appear to have come from?

-----Original Message-----
From: Tom Fischer [mailto:tfischer () abh de]
Sent: Wednesday, November 21, 2001 6:46 AM
To: Incidents
Subject: new trojan?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi List,

yesterday I mentioned activites on my Port 1214. Today the activites grown. 
We're now about 50.000 requests for yesterday, and today at 20.000. They
came 
from different IP's. Searched on some Trojan List but found nothing. 

Tom
- -- 
Tom Fischer                     ABH Marketingservice GmbH
System Administrator            Weisshaustraße 23a
Tel: 0221-94400446              50939 Köln      
http://www.abh.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjv7k/4ACgkQwafQrcfco8GPFACcDOJxFArnx+ZT7qc8wAbNzfMI
DZMAoIr6i7BmF4qetl7ENGTmC6W9Vomr
=q83E
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: