Security Basics: Re: Kazaa?

From: KoRe MeLtDoWn <koremeltdown_at_hotmail.com>
Date: Sun, 13 Oct 2002 01:06:08 +0000

Hey there Christian,
The activity you are experiencing on your firewall is normal when running
Kazaa.
This is due to the fact that Kazaa uses port 1214 as one of its operation
ports, and causes firewalls to pick up and log its activity as scanning -
there are two situations where this Kazaa activity would be logged by your
firewall, these are:
When your son attempts to download a file off another Kazaa user, a
connection is made - some firewalls constitute this as a port scan.
OR ALTERNATIVELY
When another Kazaa user attempts to download locally stored files off your
machine, a connection is also made in this situation and is classed as a
port scan.

I hope this helps you understand what is going on, he isn't doing anything
malicious it is just how Kazaa works and how many firewalls react to its
activity.

Regards,

Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Owner/Operator
http://www.koreworks.com/

New Zealand

Is your box REALLY secure?

>From: Christian Simatos <christiansimatos_at_freesurf.fr>
>Reply-To: Christian Simatos <christiansimatos_at_freesurf.fr>
>To: security-basics_at_securityfocus.com
>Subject: Kazaa?
>Date: Fri, 11 Oct 2002 13:52:37 +0200
>MIME-Version: 1.0
>Received: from outgoing.securityfocus.com ([205.206.231.26]) by
>mc3-f21.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Fri, 11
>Oct 2002 12:41:09 -0700
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])by outgoing.securityfocus.com (Postfix) with QMQPid
>CC51B8F57D; Fri, 11 Oct 2002 12:26:21 -0600 (MDT)
>Received: (qmail 12560 invoked from network); 11 Oct 2002 18:49:55 -0000
>Mailing-List: contact security-basics-help_at_securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <security-basics.list-id.securityfocus.com>
>List-Post: <mailto:security-basics_at_securityfocus.com>
>List-Help: <mailto:security-basics-help_at_securityfocus.com>
>List-Unsubscribe: <mailto:security-basics-unsubscribe_at_securityfocus.com>
>List-Subscribe: <mailto:security-basics-subscribe_at_securityfocus.com>
>Delivered-To: mailing list security-basics_at_securityfocus.com
>Delivered-To: moderator for security-basics_at_securityfocus.com
>X-Mailer: The Bat! (v1.60q) Personal
>Organization: cs
>X-Priority: 3 (Normal)
>Message-ID: <3679787808.20021011135237_at_freesurf.fr>
>In-Reply-To: <20021010154441.7355.qmail_at_mail.securityfocus.com>
>References: <20021010154441.7355.qmail_at_mail.securityfocus.com>
>Return-Path:
>security-basics-return-15130-koremeltdown=hotmail.com_at_securityfocus.com
>X-OriginalArrivalTime: 11 Oct 2002 19:41:11.0262 (UTC)
>FILETIME=[26DC1FE0:01C2715E]
>
>Hello,
>
>My son has installed Kazaa on his pc.
>
>My personal antivirus is reporting that kazaa (I suppose because it's port
>1214) is scanning my own PC from ports which increase regularly.
>I googled to try and find information, but I have not found this behavior
>described.
>- Can anyone help me?
>- Is it the normal Kazaa behavior?
>- Can I prevent it? (other than de-install kazaa)
>
>FWIN,2002/10/11,12:33:21 +2:00 GMT,192.168.0.3:1031,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:00 +2:00 GMT,192.168.0.3:1054,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:00 +2:00 GMT,192.168.0.3:1055,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:00 +2:00 GMT,192.168.0.3:1056,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:02 +2:00 GMT,192.168.0.3:1064,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:02 +2:00 GMT,192.168.0.3:1065,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:02 +2:00 GMT,192.168.0.3:1066,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:02 +2:00 GMT,192.168.0.3:1067,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:18 +2:00 GMT,192.168.0.3:1071,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:35 +2:00 GMT,192.168.0.3:1078,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:55 +2:00 GMT,192.168.0.3:1119,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:56 +2:00 GMT,192.168.0.3:1120,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:56 +2:00 GMT,192.168.0.3:1121,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:35:56 +2:00 GMT,192.168.0.3:1122,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:36:12 +2:00 GMT,192.168.0.3:1135,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:36:12 +2:00 GMT,192.168.0.3:1136,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:38:39 +2:00 GMT,192.168.0.3:1234,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:41:07 +2:00 GMT,192.168.0.3:1284,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,12:41:37 +2:00 GMT,192.168.0.3:1288,192.168.0.2:1214,TCP
>(flags:S)
>FWIN,2002/10/11,12:41:58 +2:00 GMT,192.168.0.3:1290,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,12:42:49 +2:00 GMT,192.168.0.3:1302,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,12:43:40 +2:00 GMT,192.168.0.3:1317,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,12:44:31 +2:00 GMT,192.168.0.3:1318,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,12:48:01 +2:00 GMT,192.168.0.3:1319,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,13:00:26 +2:00 GMT,192.168.0.3:1320,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,13:12:52 +2:00 GMT,192.168.0.3:1330,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,13:25:18 +2:00 GMT,192.168.0.3:1332,192.168.0.2:139,TCP
>(flags:S)
>FWIN,2002/10/11,13:37:43 +2:00 GMT,192.168.0.3:1333,192.168.0.2:139,TCP
>(flags:S)
>
> Thanks, Chris

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
Received on Oct 15 2002