[Dshield] Kazaa inquiry to dst port 80?

dominique fiori dominiquefiori at numericable.fr
Mon Nov 25 10:24:24 GMT 2002


I am just a beginner on security issue but i would like to intervene on a 
point we covered last week at Uni. I study linux Web admin + security and the 
teacher just warned us on major security issue on KaZaA.

Hackers, lamers, script b kiddies seem also to hang on that soft in order to 
get easy info.

I understood from my teacher intervention that KaZaA should not be 
authorized in a work environment unless absolutely mandatory as per company 
business.

when you register on Kazaa you enter a IN name that could be your own name, 
surname or an alias.
kazaa writes on your hard disk and without any warning spy wares. their names 
will take the name of your login.

What is in those spy-wares ? what has been downloaded and is not any more on 
your hard disk, the alias of the person you got the data from and what you 
are downloading and of course what you should download next and WHAT ARE YOU 
ARE SHARING.

Those Kazaa spy-wares are located on the shared  directory that other Kazaa 
people can access. I am new on security training but I immediately see the 
danger.

A hacker could use those info to contact other people from Kazaa pretending 
being you and then trough trust, social engeeniring or else pretend be you. 
imagine that one of your guys falls into that trap.

I believe there is a huge gap for a security breach here or at least a start 
for further damaging.

Look I am French therefore that English langauge I like is not mine therefore 
please excuse my spelling mistakes, pidgeon English whatever. do not think 
because of this that my information is not valid.


Warmest regards and thanks to the numerous people who helped me since the day 
I got stolen 600 megs of data over the net and decided to study security.

It does not only happen to others !

Dominique 









On Sunday 24 November 2002 19:05, you wrote:
> Josh:
>
> On Thu, Nov 21, 2002 at 05:57:53PM -0600, Josh Ballard wrote:
> > > Thought this a bit odd. Notice that the destination port on my end is
> > > TCP:80
> > >
> > > Usually I'd see TCP:1214 on my end.
> >
> > As per the options in the newest KaZaA client, if it "feels" filtered,
> > the next thing it does is attempt to run on port 80.  Pretty much KaZaA
> > is doing a pretty good job of beating most firewalls right now, but I
> > did say most.  I've even heard from some of the commercial companies
> > that say they are a couple weeks out of having updates of their software
> > out to "fix" this.  I've got a semi-standing solution, though I'm in the
> > middle of research on this.  Hope that helps.
>
> Interesting.
>
> I'm not actually filtering Kazaa on 1214, but there's no Kazaa client
> there either: I'm running my little ACK_hole proggie, which sits on a
> port and accepts packets, all the while dropping them much like the
> UNIX discard service.
>
> Thanks..
>
>
> - John




More information about the list mailing list