Re: P2P Networking and port 3531

From: Jake Babbin (jbabbinat_private)
Date: Wed Jul 09 2003 - 21:49:27 PDT

Next message: Richard Bartlett: "Possible DOS on Cisco 2651 router?"

Previous message: sgaskinsat_private: "Re: Strange CONNECT entries in apache logs"
In reply to: James Lay: "P2P Networking and port 3531"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James,
Yes this is common to the kazaa application. If you see this port coming
from a host then that means that the host is sharing files this is
apparently different that the main application port of 1214. We found this
port open on some servers at a client site the other night and upon futher
investigation found kazaa being used on the network.
One other trick to determine if the host in question is actually using
kazaa. Telnet to the host on port 3531/tcp if this host answers with an HTTP
error (you might have to hit enter a couple of time to get it to crap out)
then this is most likely a kazaa client.
Or you can try looking through the ports on the host and if you see 1214/tcp
open then you can try to this trick.
telnet victim host port 1214
once connected
type: GET / HTTP/1.0 <enter><enter>
This  will pop back an HTTP error giving you the victims kazaa username and
what network they are on and if they are a supernode sharing files.

Hope this helps,
Jake Babbin, GCIH
Sr. Security Engineer

----- Original Message -----
From: "James Lay" <jlayat_private>
To: <incidentsat_private>
Sent: Tuesday, July 08, 2003 6:06 PM
Subject: P2P Networking and port 3531


> Hey all!
>
> Real quick...saw this today on my network:
>
> P2PNetworking.exe had udp and tcp port 3531 open.  Packet caps of tcp
(only
> in ascii though :() show:
> KK
> CDN0/0
>
> Googling didn't bring up much, so I thought I'd see if anyone has seen
this
> kind of activity before.  Thanks!
>
> James
>
> --------------------------------------------------------------------------
--
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
> world's premier technical IT security event! 10 tracks, 15 training
sessions,
> 1,800 delegates from 30 nations including all of the top experts, from
CSO's to
> "underground" security specialists.  See for yourself what the buzz is
about!
> Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
> --------------------------------------------------------------------------
--
>


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Richard Bartlett: "Possible DOS on Cisco 2651 router?"
Previous message: sgaskinsat_private: "Re: Strange CONNECT entries in apache logs"
In reply to: James Lay: "P2P Networking and port 3531"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 10 2003 - 09:11:34 PDT