Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: morpheus/kazaa probes/scans
From: BRAD GRIFFIN <b.griffin () cqu edu au>
Date: Tue, 12 Feb 2002 09:04:26 +1000
There was some discussion in online newsletters, online mass-media news outlets and on the vuln-dev list discussing how 
Kazaa and Morpheus show the contents of the shared folder to the world. Entering (IP address):1214  in a web browser 
will list the contents of the shared directory and allow you to
download files from that directory. What appears to be happening is that a whole bunch of 'curious' folk are hunting 
for systems that the user has unwittingly/ignorantly (read: new user) shared their 'C' or root drive. Scanning for open 
1214 ports, then checking the shared directory via a browser
will show if an entire drive has been shared. This will then lead the way to compromising the system. 

Cheers,
Brad


-----Original Message-----
From: k 
[mailto:tattooman () scott culp should read 1984 while ondrugz com]
Sent: Tuesday, February 12, 2002 10:50 AM
To: incidents () securityfocus com
Subject: morpheus/kazaa probes/scans



during the past week, i have noticed a *very* substantial and alarming
number of unsolicited morpheus/kazaa scans/probes (port 1214).  before
last week, the targeted systems, which reside on roadrunner cablemodem
networks, were receiving an average of 40 separate 
probes/day, with less
than 5 morpheus/kazaa probes/day.  currently, those same 
systems have been
getting over 300 morpheus/kazaa probes/day for the past 5 days.  the
elevated probe numbers have been relatively constant.  no file sharing
software is or ever has been run (or installed) on any of the systems.
ALL unsolicited incoming traffic is filtered/blocked/dropped. 
 NO public
services (www, ftp, etc) have ever been run on any of the 
systems.  the
probes have been coming from a wide variety of systems all 
over the world,
including .edu and .gov.

i have not seen any substantial increase in similar scans on corporate
networks that i monitor.

anybody else seen an increase in morpheus/kazaa scans, or 
have any insight
into the reasons (new vuln scanning tool, new morpheus/kazaa exploits,
etc)?

thanks,
k


--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]