Re: morpheus/kazaa probes/scans

From: Russell Fulton (R.FULTON@auckland.ac.nz)
Date: 02/11/02


From: Russell Fulton <R.FULTON@auckland.ac.nz>
To: trade.your.little.sister.for.crack@ondrugz.com
Date: 12 Feb 2002 10:39:53 +1300

On Tue, 2002-02-12 at 13:49, k wrote:
>
> during the past week, i have noticed a *very* substantial and alarming
> number of unsolicited morpheus/kazaa scans/probes (port 1214). before
[ snip ]
>
> anybody else seen an increase in morpheus/kazaa scans,

Over the last few weeks I have seen a large number of systens probing
appearently random addresses in our network for port 1214.

Here is a typical report from my detector:

We saw ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] talk to 38
ports/addresses(s)
on Thu 27 Dec 2001 at 08:27 (UTC)

-- Thu 27 Dec 2001 at 20:27 (NZDT)

Connection rate approx 2 per hour

130.216.2.38.tcp - 1214 130.216.149.222.tcp - 1214
130.216.15.125.tcp - 1214 130.216.165.169.tcp - 1214
130.216.35.13.tcp - 1214 130.216.168.31.tcp - 1214
130.216.39.12.tcp - 1214 130.216.168.231.tcp - 1214
130.216.44.192.tcp - 1214 130.216.169.94.tcp - 1214
130.216.74.201.tcp - 1214 130.216.171.34.tcp - 1214
130.216.86.122.tcp - 1214 130.216.185.71.tcp - 1214
130.216.89.53.tcp - 1214 130.216.185.150.tcp - 1214
130.216.91.114.tcp - 1214 130.216.193.217.tcp - 1214
130.216.96.89.tcp - 1214 130.216.198.65.tcp - 1214
130.216.99.208.tcp - 1214 130.216.199.135.tcp - 1214
130.216.110.231.tcp - 1214 130.216.200.227.tcp - 1214
130.216.112.119.tcp - 1214 130.216.216.149.tcp - 1214
130.216.117.218.tcp - 1214 130.216.222.76.tcp - 1214
130.216.123.152.tcp - 1214 130.216.223.249.tcp - 1214
130.216.139.71.tcp - 1214 130.216.227.153.tcp - 1214
130.216.141.205.tcp - 1214 130.216.228.105.tcp - 1214
130.216.143.181.tcp - 1214 130.216.231.134.tcp - 1214
130.216.148.187.tcp - 1214 130.216.240.35.tcp - 1214
2001-12-28-01:25:12 tcp 193.251.43.238:3363 -> 130.216.110.231:1214 S_
2001-12-28-02:22:39 tcp 193.251.43.238:2261 -> 130.216.44.192:1214 S_
2001-12-28-02:25:27 tcp 193.251.43.238:3198 -> 130.216.2.38:1214 S_
2001-12-28-03:12:52 tcp 193.251.43.238:3027 -> 130.216.240.35:1214 S_
2001-12-28-03:19:41 tcp 193.251.43.238:1292 -> 130.216.86.122:1214 S_
2001-12-28-03:25:13 tcp 193.251.43.238:3122 -> 130.216.143.181:1214 S_
2001-12-28-03:52:34 tcp 193.251.43.238:4068 -> 130.216.123.152:1214 S_
2001-12-28-04:13:48 tcp 193.251.43.238:3026 -> 130.216.141.205:1214 S_
2001-12-28-04:30:44 tcp 193.251.43.238:4631 -> 130.216.169.94:1214 S_
2001-12-28-05:42:19 tcp 193.251.43.238:4203 -> 130.216.227.153:1214 S_
2001-12-28-06:54:31 tcp 193.251.43.238:4150 -> 130.216.228.105:1214 S_

This is typical of random probing...

This system was active over several days:
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] 1009476049 2001.12.28.07.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] 1009508168 2001.12.28.15.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] 1009540400 2001.12.29.00.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] 1009572750 2001.12.29.09.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-238.abo.wanadoo.fr[193.251.43.238] 1009607636 2001.12.29.19.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1009855687 2002.01.01.16.00 Network_scan[tcp-1214] read
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1009932115 2002.01.02.13.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1009983734 2002.01.03.04.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010034798 2002.01.03.18.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010101843 2002.01.04.12.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010189905 2002.01.05.13.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010260585 2002.01.06.08.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010332399 2002.01.07.04.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010401233 2002.01.08.00.00 Network_scan[tcp-1214] new
ASt-Lambert-101-1-1-118.abo.wanadoo.fr[193.251.43.118] 1010471955 2002.01.08.19.00 Network_scan[tcp-1214] new

IP address changed in the middle -- New dhcp lease after machine was
turned off over new year?

I do not believe that this sort of behaviour is normal for
Morpheus/Kaaza

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com