Re: morpheus/kazaa probes/scans

From: Russell Fulton (R.FULTONat_private)
Date: Mon Feb 11 2002 - 13:39:53 PST

Next message: BRAD GRIFFIN: "RE: morpheus/kazaa probes/scans"

Previous message: Skip Carter: "Re: Steady increase in ssh scans"
In reply to: k: "morpheus/kazaa probes/scans"
Next in thread: BRAD GRIFFIN: "RE: morpheus/kazaa probes/scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2002-02-12 at 13:49, k wrote:
> 
> during the past week, i have noticed a *very* substantial and alarming
> number of unsolicited morpheus/kazaa scans/probes (port 1214).  before
[ snip ]
> 
> anybody else seen an increase in morpheus/kazaa scans,

Over the last few weeks I have seen a large number of systens probing
appearently random addresses in our network for port 1214.

Here is a typical report from my detector:


We saw ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] talk to 38
ports/addresses(s)
on Thu 27 Dec 2001 at 08:27 (UTC)

-- Thu 27 Dec 2001 at 20:27 (NZDT)

Connection rate approx 2 per hour

130.216.2.38.tcp - 1214               130.216.149.222.tcp - 1214        
130.216.15.125.tcp - 1214             130.216.165.169.tcp - 1214        
130.216.35.13.tcp - 1214              130.216.168.31.tcp - 1214         
130.216.39.12.tcp - 1214              130.216.168.231.tcp - 1214        
130.216.44.192.tcp - 1214             130.216.169.94.tcp - 1214         
130.216.74.201.tcp - 1214             130.216.171.34.tcp - 1214         
130.216.86.122.tcp - 1214             130.216.185.71.tcp - 1214         
130.216.89.53.tcp - 1214              130.216.185.150.tcp - 1214        
130.216.91.114.tcp - 1214             130.216.193.217.tcp - 1214        
130.216.96.89.tcp - 1214              130.216.198.65.tcp - 1214         
130.216.99.208.tcp - 1214             130.216.199.135.tcp - 1214        
130.216.110.231.tcp - 1214            130.216.200.227.tcp - 1214        
130.216.112.119.tcp - 1214            130.216.216.149.tcp - 1214        
130.216.117.218.tcp - 1214            130.216.222.76.tcp - 1214         
130.216.123.152.tcp - 1214            130.216.223.249.tcp - 1214        
130.216.139.71.tcp - 1214             130.216.227.153.tcp - 1214        
130.216.141.205.tcp - 1214            130.216.228.105.tcp - 1214        
130.216.143.181.tcp - 1214            130.216.231.134.tcp - 1214        
130.216.148.187.tcp - 1214            130.216.240.35.tcp - 1214
2001-12-28-01:25:12 tcp 193.251.43.238:3363 -> 130.216.110.231:1214   S_
2001-12-28-02:22:39 tcp 193.251.43.238:2261 ->  130.216.44.192:1214   S_
2001-12-28-02:25:27 tcp 193.251.43.238:3198 ->  130.216.2.38:1214     S_
2001-12-28-03:12:52 tcp 193.251.43.238:3027 ->  130.216.240.35:1214   S_
2001-12-28-03:19:41 tcp 193.251.43.238:1292 ->  130.216.86.122:1214   S_
2001-12-28-03:25:13 tcp 193.251.43.238:3122 -> 130.216.143.181:1214   S_
2001-12-28-03:52:34 tcp 193.251.43.238:4068 -> 130.216.123.152:1214   S_
2001-12-28-04:13:48 tcp 193.251.43.238:3026 -> 130.216.141.205:1214   S_
2001-12-28-04:30:44 tcp 193.251.43.238:4631 ->  130.216.169.94:1214   S_
2001-12-28-05:42:19 tcp 193.251.43.238:4203 -> 130.216.227.153:1214   S_
2001-12-28-06:54:31 tcp 193.251.43.238:4150 -> 130.216.228.105:1214   S_

This is typical of random probing...

This system was active over several days:
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238]	1009476049	2001.12.28.07.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238]	1009508168	2001.12.28.15.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238]	1009540400	2001.12.29.00.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238]	1009572750	2001.12.29.09.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238]	1009607636	2001.12.29.19.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]	1009855687	2002.01.01.16.00	Network_scan[tcp-1214]	read
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]	1009932115	2002.01.02.13.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]	1009983734	2002.01.03.04.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]	1010034798	2002.01.03.18.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]	1010101843	2002.01.04.12.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]	1010189905	2002.01.05.13.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]	1010260585	2002.01.06.08.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]	1010332399	2002.01.07.04.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]	1010401233	2002.01.08.00.00	Network_scan[tcp-1214]	new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118]	1010471955	2002.01.08.19.00	Network_scan[tcp-1214]	new

IP address changed in the middle -- New dhcp lease after machine was
turned off over new year?

I do not believe that this sort of behaviour is normal for
Morpheus/Kaaza

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: BRAD GRIFFIN: "RE: morpheus/kazaa probes/scans"
Previous message: Skip Carter: "Re: Steady increase in ssh scans"
In reply to: k: "morpheus/kazaa probes/scans"
Next in thread: BRAD GRIFFIN: "RE: morpheus/kazaa probes/scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 16:33:08 PST