There was some discussion in online newsletters, online mass-media news outlets and on the vuln-dev list discussing how Kazaa and Morpheus show the contents of the shared folder to the world. Entering (IP address):1214 in a web browser will list the contents of the shared directory and allow you to download files from that directory. What appears to be happening is that a whole bunch of 'curious' folk are hunting for systems that the user has unwittingly/ignorantly (read: new user) shared their 'C' or root drive. Scanning for open 1214 ports, then checking the shared directory via a browser will show if an entire drive has been shared. This will then lead the way to compromising the system. Cheers, Brad > -----Original Message----- > From: k > [mailto:tattoomanat_private] > Sent: Tuesday, February 12, 2002 10:50 AM > To: incidentsat_private > Subject: morpheus/kazaa probes/scans > > > > during the past week, i have noticed a *very* substantial and alarming > number of unsolicited morpheus/kazaa scans/probes (port 1214). before > last week, the targeted systems, which reside on roadrunner cablemodem > networks, were receiving an average of 40 separate > probes/day, with less > than 5 morpheus/kazaa probes/day. currently, those same > systems have been > getting over 300 morpheus/kazaa probes/day for the past 5 days. the > elevated probe numbers have been relatively constant. no file sharing > software is or ever has been run (or installed) on any of the systems. > ALL unsolicited incoming traffic is filtered/blocked/dropped. > NO public > services (www, ftp, etc) have ever been run on any of the > systems. the > probes have been coming from a wide variety of systems all > over the world, > including .edu and .gov. > > i have not seen any substantial increase in similar scans on corporate > networks that i monitor. > > anybody else seen an increase in morpheus/kazaa scans, or > have any insight > into the reasons (new vuln scanning tool, new morpheus/kazaa exploits, > etc)? > > thanks, > k > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 16:36:19 PST