Look like KaZaa scans...here is something from Greg Woods from back in the summer: [ On Thursday, June 28, 2001 at 22:17:54 (+0300), Vangelis Haniotakis wrote: ] > Subject: Weird scan on port 1214 > > Now, port 1214 is reserved for what is called "Intelligent > Communications Protocol" on tcp and KAZAA on udp. I don't know what the > first one is, I do know that Kazaa is a file sharing thingy though. KAZAA is really just HTTP on a "private" port. You can connect to it with any HTTP browser and get more or less meaningful results. > The small packet count reminds one of a vulnerability scan. Has there > been any vulnerability known re: kazaa (the most probable target)? It's more likely they're just scanning for KAZAA servers. One of my clients received a copyright infringement notification from the Motion Picture Association Worldwide Anti-Piracy group the other day stating that such a client was running on a customer's machine and that it contained copyrighted materials. Whether your "scans" are from the likes of the MPA, or just from those trying to find files, or if there's a vulnerability in KAZAA and someone's trying to find targets, is anyone's guess at this point. What source address(es) did those connections appear to have come from? -----Original Message----- From: Tom Fischer [mailto:tfischerat_private] Sent: Wednesday, November 21, 2001 6:46 AM To: Incidents Subject: new trojan? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi List, yesterday I mentioned activites on my Port 1214. Today the activites grown. We're now about 50.000 requests for yesterday, and today at 20.000. They came from different IP's. Searched on some Trojan List but found nothing. Tom - -- Tom Fischer ABH Marketingservice GmbH System Administrator Weisshaustraße 23a Tel: 0221-94400446 50939 Köln http://www.abh.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjv7k/4ACgkQwafQrcfco8GPFACcDOJxFArnx+ZT7qc8wAbNzfMI DZMAoIr6i7BmF4qetl7ENGTmC6W9Vomr =q83E -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 08:46:47 PST