Hi folks. I think I might be able to share some insight on this. This program... http://www.dddi.nl/~costar/shadowFT/README ...scans networks for Kazaa and Morpheus' port 1214. If found, it indexes all the files is finds. Kazaa and Morpheus have httpd servers running that are set to the equivalent to Apache's "auto indexing" ( http://httpd.apache.org/docs/mod/mod_autoindex.html ). This means anyone with a web browser can see all the files the program is set to share with a web browser. There are no directories set up, so a request for "GET /" will show all shared files via an HTML page with file size and a clickable link to DL the file. It's trivial to write a script to automate the scanning and retrieval of these directory listings and to index them. This is what shadowTF is doing. The process is scan for 1214, pull a http://ipaddress:1214 and then parse the HTML output and stick it in a database and put a front-end on it. From their page: ---------------------------- Everyone SHOULD SCAN, even if it's just a little bit. ---------------------------- Of course this could be used to check for idiots with their entire HD shared! Cheers. - Troy ----- Original Message ----- From: "BRAD GRIFFIN" <b.griffinat_private> To: <incidentsat_private> Sent: Monday, February 11, 2002 7:04 PM Subject: RE: morpheus/kazaa probes/scans There was some discussion in online newsletters, online mass-media news outlets and on the vuln-dev list discussing how Kazaa and Morpheus show the contents of the shared folder to the world. Entering (IP address):1214 in a web browser will list the contents of the shared directory and allow you to download files from that directory. What appears to be happening is that a whole bunch of 'curious' folk are hunting for systems that the user has unwittingly/ignorantly (read: new user) shared their 'C' or root drive. Scanning for open 1214 ports, then checking the shared directory via a browser will show if an entire drive has been shared. This will then lead the way to compromising the system. Cheers, Brad ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 09:25:53 PST