Re: Weird scan on port 1214

From: Vangelis Haniotakis (haniotakat_private)
Date: Fri Jun 29 2001 - 09:54:01 PDT

Next message: Greg A. Woods: "Re: Weird scan on port 1214"

Previous message: Glenn Forbes Fleming Larratt: "DDoS pointed at dsli.com / 209.203.214.{10,40} ?"
Next in thread: Matt Scarborough: "Re: Weird scan on port 1214"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 29 Jun 2001, Greg A. Woods wrote:

> [ On Thursday, June 28, 2001 at 22:17:54 (+0300), Vangelis Haniotakis wrote: ]
> > Subject: Weird scan on port 1214
> >
> >  Now, port 1214 is reserved for what is called  "Intelligent
> > Communications Protocol" on tcp and KAZAA on udp. I don't know what the
> > first one is, I do know that Kazaa is a file sharing thingy though.
>
> KAZAA is really just HTTP on a "private" port.  You can connect to it
> with any HTTP browser and get more or less meaningful results.

 Thanks! This information should come in handy. Unfortunately (or
thankfully...) the offending box is off the net at the moment, probably
shut down for the weekend.

> >  The small packet count reminds one of a vulnerability scan. Has there
> > been any vulnerability known re: kazaa (the most probable target)?
>
> It's more likely they're just scanning for KAZAA servers.
>
> One of my clients received a copyright infringement notification from
> the Motion Picture Association Worldwide Anti-Piracy group the other day
> stating that such a client was running on a customer's machine and that
> it contained copyrighted materials.
>
> Whether your "scans" are from the likes of the MPA, or just from those
> trying to find files, or if there's a vulnerability in KAZAA and
> someone's trying to find targets, is anyone's guess at this point.
>
> What source address(es) did those connections appear to have come from?

 Well, *our* host was initiating lots of connections to the outside world,
that was the problem here. It could be and probably is "legitimate" KAZAA
traffic - in that case, a phone call to the department admin would help.
But I wanted to gather up some more info before shutting down a faculty
member's computer.

 It's the first time we have had trouble with KAZAA, gnutella and napster
we know how to detect - mostly checking for reeeeally big transfers :)

 In any case, thanks for the suggestions and for sharing your run in with
the MPA.

--
Vangelis Haniotakis - Network & Communications Centre, University of Crete

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Greg A. Woods: "Re: Weird scan on port 1214"
Previous message: Glenn Forbes Fleming Larratt: "DDoS pointed at dsli.com / 209.203.214.{10,40} ?"
Next in thread: Matt Scarborough: "Re: Weird scan on port 1214"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 30 2001 - 08:42:54 PDT