Re: New script-kiddie looking scan

From: Chris Ess (azarin@tokimi.net)
Date: 06/19/02


Date: Tue, 18 Jun 2002 19:27:04 -0400 (EDT)
From: Chris Ess <azarin@tokimi.net>
To: zeno <bugtraq@cgisecurity.net>


> > WinAmp leaves me baffled. Maybe someone can answer that part of the
> > equation.
>
> Often people with cable or dsl download a lot of mp3's because the bandwith is available.
> Perhaps also waiting for a winamp hole to surface for use with ddos nets? Perhaps one
> already exists which isn't known?

The problem is that Winamp doesn't listen on 8000 normally -- at least in
my experience. Shoutcast servers (used for streaming mp3s for such things
as Internet 'radio stations') listen on ports 8000 to 8002. At the
beginning of this month, a remote buffer overflow vulernability was
announced for Shoutcast 1.8.9. The link is below:

http://online.securityfocus.com/bid/4934

Also, I have seen several proxies use port 8000 instead of 8080, so that
may be what the parties responsible are looking for.

Hope this helps.

Sincerely,

Christopher Ess
System Administrator / CDTT (Certified Duct Tape Technician)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com