Re: new trojan?

From: Johannes Verelst (johannesat_private)
Date: Wed Nov 21 2001 - 10:01:23 PST

Next message: Aaron: "Re: Questions"

Previous message: Jose Nazario: "Re: SSH CRC32? What am I seeing?"
In reply to: Tom Fischer: "new trojan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 21 Nov 2001, Tom Fischer wrote:

> Hi List,
>
> yesterday I mentioned activites on my Port 1214. Today the activites grown.
> We're now about 50.000 requests for yesterday, and today at 20.000. They came
> from different IP's. Searched on some Trojan List but found nothing.

1214 == KaZaa (more exactly: it's FastTrack, there are more programs than
just KaZaa that use the FT stack).

I think I know where these scans are coming from. FT is a closed protocol
and a bunch of people started an open-source project called 'giFT'. This
project allowed linux (and other unsupported OS-es) users to connect to
the FT network. FT then changed the protocol, effectively blocking the
giFT clients.

A few weeks ago, somebody announced a 'KaZaa scanner' program called
'ShadowFT', it scans random IP's to look for inividuals that run KaZaa.
The original FT network has 'supernodes' and 'nodes', the giFT program
could connect to a supernode and search it, and download from nodes. Since
connecting to supernodes is impossible, the ShadowFT program tries to find
KaZaa nodes and index them itself.

More info: www.sourceforge.net/projects/gift

Regards,

Johannes
-- 
/===================================\ /====================================\
| Johannes Verelst                   | Email: johannesat_private         |
| Web: http://www.verelst.net        | IRC:   nl.eu.slashnet.org / Gullie  |
+===================================/ \====================================+
|"Programming today is a race between software engineers striving to build |
|bigger and better idiot-proof programs, and the Universe trying to produce|
|bigger and better idiots. So far, the Universe is winning."               |
\==========================================================================/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Aaron: "Re: Questions"
Previous message: Jose Nazario: "Re: SSH CRC32? What am I seeing?"
In reply to: Tom Fischer: "new trojan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 10:05:28 PST