Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Logs showing GET /.hash=...
From: Jim Dueltgen <jimd () lmi net>
Date: Thu, 1 May 2003 10:27:52 -0700
I've been working recently with Cisco's Network Based Application Recognition (NBAR) trying to keep Kazaa traffic under control in a multi-tenant installation and I've only ever found this snippet in the documentation:
2. KaZaA version 2 might use port 80 to get around the Firewall. You can control it be adding 

match protocol http url \.hash=*
I'm not sure about the \ vs / as it shows in your logs and as one would expect to see in a URL but the above is what's in Cisco's documentation. My understanding is that the actual download of a file via kazaa v2 happens over port 80 in an attempt to get around passive packet filtering firewalls. 

Regards,

Jim Dueltgen
  LMi.net

At 9:54 AM -0400 4/30/03, Keith Bergen wrote:

I have seen log entries in the form:
dormtw.isu.edu.tw - - [29/Apr/2003:22:04:17 -
0400] "GET /.hash=8a8a30842bc6698dd1cbcb31191fc9e76018ea4c
HTTP/1.1" 404 323
dormtw.isu.edu.tw - - [29/Apr/2003:22:04:22 -
0400] "GET /.hash=355bcee01e59b87d9cc33d4ae3cc8edf5f022d2a
HTTP/1.1" 404 323
dormtw.isu.edu.tw - - [29/Apr/2003:22:04:24 -
0400] "GET /.hash=51f6ec2b496fa6fac83a88d7978321c7b64a5969
HTTP/1.1" 404 323

I looked at past posts, and one indicates that this might be
KaZaa traffic. The other post indicated it was "WinMX". Can
somebody expand on this? For example, what is WinMX? Also,
why would KaZaa connect to port 80?

Thanks,
Keith.

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------



----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]