Re: morpheus/kazaa probes/scans

From: Troy D. Strum (tstrumat_private)
Date: Tue Feb 12 2002 - 07:51:46 PST

Next message: Gerrie / Hit2000: "new SNMP vuln"

Previous message: Thomas Themel: "Re: Steady increase in ssh scans"
In reply to: BRAD GRIFFIN: "RE: morpheus/kazaa probes/scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi folks.

I think I might be able to share some insight on this.

This program...

http://www.dddi.nl/~costar/shadowFT/README

...scans networks for Kazaa and Morpheus' port 1214. If found, it indexes
all the files is finds. Kazaa and Morpheus have httpd servers running that
are set to the equivalent to Apache's "auto indexing"  (
http://httpd.apache.org/docs/mod/mod_autoindex.html ). This means anyone
with a web browser can see all the files the program is set to share with a
web browser. There are no directories set up, so a request for "GET /" will
show all shared files via an HTML page with file size and a clickable link
to DL the file.

It's trivial to write a script to automate the scanning and retrieval of
these directory listings and to index them. This is what shadowTF is doing.

The process is scan for 1214, pull a http://ipaddress:1214 and then parse
the HTML output and stick it in a database and put a front-end on it.

From their page:
----------------------------
Everyone SHOULD SCAN, even if it's just a little bit.
----------------------------

Of course this could be used to check for idiots with their entire HD
shared!

Cheers.


- Troy




----- Original Message -----
From: "BRAD GRIFFIN" <b.griffinat_private>
To: <incidentsat_private>
Sent: Monday, February 11, 2002 7:04 PM
Subject: RE: morpheus/kazaa probes/scans


There was some discussion in online newsletters, online mass-media news
outlets and on the vuln-dev list discussing how Kazaa and Morpheus show the
contents of the shared folder to the world. Entering (IP address):1214  in a
web browser will list the contents of the shared directory and allow you to
download files from that directory. What appears to be happening is that a
whole bunch of 'curious' folk are hunting for systems that the user has
unwittingly/ignorantly (read: new user) shared their 'C' or root drive.
Scanning for open 1214 ports, then checking the shared directory via a
browser
will show if an entire drive has been shared. This will then lead the way to
compromising the system.

Cheers,
Brad



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Gerrie / Hit2000: "new SNMP vuln"
Previous message: Thomas Themel: "Re: Steady increase in ssh scans"
In reply to: BRAD GRIFFIN: "RE: morpheus/kazaa probes/scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 09:25:53 PST