[In the past weeks, there have been several reports of "exploits" in the Kazaa/Morpheus filesharing programs. The original thread has been killed, but since the original messages might come up in search engines, I thought it still relevant to explain further that these are not exploits and there currently is no proof that running the Morpheus client is dangerous.] Instead of using an own proprietary protocol, the file-sharing program Morpheus uses a light-weight HTTP server which is reachable at http://yourip:1214/ (this should work on Windows 2000 systems as well). HTTP is used for getting filelists and transferring files. As a nice side effect, this enables non-Morpheus-users to retrieve files from Morpheus clients. Some of the HTTP headers display the username, network name, and node that the Morpheus client is connected to: > X-Kazaa-Username: {USER NAME HERE} > X-Kazaa-Network: MusicCity > X-Kazaa-IP: morpheus.users.ip.address:1214 > X-Kazaa-SupernodeIP: supernode.ip.address:1214 Originally this was used for their browser-based file search tool; this tool has since disappeared from their website. Details on Morpheus' architecture can be found here: http://www.openp2p.com/pub/a/p2p/2001/07/02/morpheus.html?page=2 A negative comment must be made: this feature is poorly documented. I think not many kids running Morpheus actually know that they have a web-server running which exposes their user-ID and their files to the world. (Although I doubt that even when it was documented, people would actually take the time to read and understand it.) A firewall could be used to deny these incoming HTTP requests to port 1214; this will also disable transfers to/from some users. (If I recall correctly, Morpheus does support a "passive" scheme; but at least one of the two peers involved must accept incoming HTTP requests at the port, in order for a connection to be established.) -- Walter Hop <walterat_private> | +31 6 24290808 | PGP key ID: 0x84813998
This archive was generated by hypermail 2b30 : Mon Sep 03 2001 - 16:30:23 PDT