Security Incidents mailing list archives

Re: new trojan?

From: Johannes Verelst <johannes () verelst net>
Date: Wed, 21 Nov 2001 19:01:23 +0100 (MET)

On Wed, 21 Nov 2001, Tom Fischer wrote:

Hi List,

yesterday I mentioned activites on my Port 1214. Today the activites grown.
We're now about 50.000 requests for yesterday, and today at 20.000. They came
from different IP's. Searched on some Trojan List but found nothing.


1214 == KaZaa (more exactly: it's FastTrack, there are more programs than
just KaZaa that use the FT stack).

I think I know where these scans are coming from. FT is a closed protocol
and a bunch of people started an open-source project called 'giFT'. This
project allowed linux (and other unsupported OS-es) users to connect to
the FT network. FT then changed the protocol, effectively blocking the
giFT clients.

A few weeks ago, somebody announced a 'KaZaa scanner' program called
'ShadowFT', it scans random IP's to look for inividuals that run KaZaa.
The original FT network has 'supernodes' and 'nodes', the giFT program
could connect to a supernode and search it, and download from nodes. Since
connecting to supernodes is impossible, the ShadowFT program tries to find
KaZaa nodes and index them itself.

More info: www.sourceforge.net/projects/gift

Regards,

Johannes
-- 
/===================================\ /====================================\
| Johannes Verelst                   | Email: johannes () verelst net         |
| Web: http://www.verelst.net        | IRC:   nl.eu.slashnet.org / Gullie  |
+===================================/ \====================================+
|"Programming today is a race between software engineers striving to build |
|bigger and better idiot-proof programs, and the Universe trying to produce|
|bigger and better idiots. So far, the Universe is winning."               |
\==========================================================================/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

new trojan? Tom Fischer (Nov 21)
- Re: new trojan? Johannes Verelst (Nov 21)
- <Possible follow-ups>
- RE: new trojan? Rob Keown (Nov 21)