On Tue, 2002-02-12 at 13:49, k wrote: > > during the past week, i have noticed a *very* substantial and alarming > number of unsolicited morpheus/kazaa scans/probes (port 1214). before [ snip ] > > anybody else seen an increase in morpheus/kazaa scans, Over the last few weeks I have seen a large number of systens probing appearently random addresses in our network for port 1214. Here is a typical report from my detector: We saw ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] talk to 38 ports/addresses(s) on Thu 27 Dec 2001 at 08:27 (UTC) -- Thu 27 Dec 2001 at 20:27 (NZDT) Connection rate approx 2 per hour 130.216.2.38.tcp - 1214 130.216.149.222.tcp - 1214 130.216.15.125.tcp - 1214 130.216.165.169.tcp - 1214 130.216.35.13.tcp - 1214 130.216.168.31.tcp - 1214 130.216.39.12.tcp - 1214 130.216.168.231.tcp - 1214 130.216.44.192.tcp - 1214 130.216.169.94.tcp - 1214 130.216.74.201.tcp - 1214 130.216.171.34.tcp - 1214 130.216.86.122.tcp - 1214 130.216.185.71.tcp - 1214 130.216.89.53.tcp - 1214 130.216.185.150.tcp - 1214 130.216.91.114.tcp - 1214 130.216.193.217.tcp - 1214 130.216.96.89.tcp - 1214 130.216.198.65.tcp - 1214 130.216.99.208.tcp - 1214 130.216.199.135.tcp - 1214 130.216.110.231.tcp - 1214 130.216.200.227.tcp - 1214 130.216.112.119.tcp - 1214 130.216.216.149.tcp - 1214 130.216.117.218.tcp - 1214 130.216.222.76.tcp - 1214 130.216.123.152.tcp - 1214 130.216.223.249.tcp - 1214 130.216.139.71.tcp - 1214 130.216.227.153.tcp - 1214 130.216.141.205.tcp - 1214 130.216.228.105.tcp - 1214 130.216.143.181.tcp - 1214 130.216.231.134.tcp - 1214 130.216.148.187.tcp - 1214 130.216.240.35.tcp - 1214 2001-12-28-01:25:12 tcp 193.251.43.238:3363 -> 130.216.110.231:1214 S_ 2001-12-28-02:22:39 tcp 193.251.43.238:2261 -> 130.216.44.192:1214 S_ 2001-12-28-02:25:27 tcp 193.251.43.238:3198 -> 130.216.2.38:1214 S_ 2001-12-28-03:12:52 tcp 193.251.43.238:3027 -> 130.216.240.35:1214 S_ 2001-12-28-03:19:41 tcp 193.251.43.238:1292 -> 130.216.86.122:1214 S_ 2001-12-28-03:25:13 tcp 193.251.43.238:3122 -> 130.216.143.181:1214 S_ 2001-12-28-03:52:34 tcp 193.251.43.238:4068 -> 130.216.123.152:1214 S_ 2001-12-28-04:13:48 tcp 193.251.43.238:3026 -> 130.216.141.205:1214 S_ 2001-12-28-04:30:44 tcp 193.251.43.238:4631 -> 130.216.169.94:1214 S_ 2001-12-28-05:42:19 tcp 193.251.43.238:4203 -> 130.216.227.153:1214 S_ 2001-12-28-06:54:31 tcp 193.251.43.238:4150 -> 130.216.228.105:1214 S_ This is typical of random probing... This system was active over several days: ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] 1009476049 2001.12.28.07.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] 1009508168 2001.12.28.15.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] 1009540400 2001.12.29.00.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] 1009572750 2001.12.29.09.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] 1009607636 2001.12.29.19.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1009855687 2002.01.01.16.00 Network_scan[tcp-1214] read ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1009932115 2002.01.02.13.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1009983734 2002.01.03.04.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010034798 2002.01.03.18.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010101843 2002.01.04.12.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010189905 2002.01.05.13.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010260585 2002.01.06.08.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010332399 2002.01.07.04.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010401233 2002.01.08.00.00 Network_scan[tcp-1214] new ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010471955 2002.01.08.19.00 Network_scan[tcp-1214] new IP address changed in the middle -- New dhcp lease after machine was turned off over new year? I do not believe that this sort of behaviour is normal for Morpheus/Kaaza -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 16:33:08 PST