[Dshield] Kazaa Strange Activity - Question

Deb Hale haled at pionet.net
Thu Aug 21 19:00:18 GMT 2003


If you have a user running Kazaa you more than likely have people
downloading the songs that are stored on the computer.  To find out if this
is the case go to the command prompt (dos prompt) and type netstat -an.  I
think you will be amazed at what you see.  I had this happen at a customers
site.  They are investment/financial brokers. One of the employees had
installed Kazaa. We saw some interesting activity in the logs so started
investigating. We found that 16 people outside of the company (TX, OK, CN,
ETC) had established a connection to the computer.  

Deborah F Hale
Certified Business Continuity Professional/Computer Security Specialist
BCP Enterprise, Inc
Telephone: (712) 252-0361
www.bcpenterprise.com
 


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Yevette Maurer
Sent: Thursday, August 21, 2003 1:28 PM
To: list at dshield.org
Subject: [Dshield] Kazaa Strange Activity - Question


I was wondering if anyone could help me with a Kazaa question? I am not
familiar with it, except that I know it is a breading ground for Trojans and
Viruses. We have laptop users connected to our network (Real Estate agents
that pay us for internet connectivity). Our firewall is Microsoft ISA
server. The following was found in the ISA server logs:

192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:48:42, fwsrv,
RX_ISASERVER, -, -, 24.190.172.29,1672, -,0,0,1672, TCP 192.168.250.36,
LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:48:45, fwsrv, RX_ISASERVER, -, -,
65.25.147.93,3798, -,0,0,3798, TCP 192.168.250.36, LindaC, KAZAA.EXE:2:4.90,
N, 8/18/2003, 22:48:47, fwsrv, RX_ISASERVER, -, -,
24.184.49.94,2376,101,0,0,2376, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:48:52, fwsrv, RX_ISASERVER, -, -,
66.41.85.58,3018, -,0,0,3018, TCP 192.168.250.36, LindaC, KAZAA.EXE:2:4.90,
N, 8/18/2003, 22:48:55, fwsrv, RX_ISASERVER, -, -, 24.247.132.52,80,
-,0,0,80, TCP 192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003,
22:49:05, fwsrv, RX_ISASERVER, -, -, 24.247.132.52,80,10065,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:05, fwsrv,
RX_ISASERVER, -, -, 24.186.122.98,80,10,0,0,80, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:15, fwsrv, RX_ISASERVER, -, -,
24.186.122.98,80,10034,0,0,80, TCP 192.168.250.36, LindaC, KAZAA.EXE:2:4.90,
N, 8/18/2003, 22:49:15, fwsrv, RX_ISASERVER, -, -,
66.30.180.171,2415,251,0,0,2415, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:18, fwsrv, RX_ISASERVER, -, -,
24.161.226.72,1039, -,0,0,1039, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:21, fwsrv, RX_ISASERVER, -, -,
24.185.19.243,2781,100,0,0,2781, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:23, fwsrv, RX_ISASERVER, -, -,
24.74.37.116,80,10,0,0,80, TCP 192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N,
8/18/2003, 22:49:23, fwsrv, RX_ISASERVER, -, -,
24.74.37.116,80,10,0,1172,80, TCP 192.168.250.36, LindaC, KAZAA.EXE:2:4.90,
N, 8/18/2003, 22:49:24, fwsrv, RX_ISASERVER, -, -, 24.188.202.237,2333,
-,0,0,2333, TCP 192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003,
22:49:26, fwsrv, RX_ISASERVER, -, -, 66.24.39.69,80, -,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:36, fwsrv,
RX_ISASERVER, -, -, 66.24.39.69,80,10084,0,0,80, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:37, fwsrv, RX_ISASERVER, -, -,
12.218.57.197,2342,200,0,0,2342, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:39, fwsrv, RX_ISASERVER, -, -,
24.188.12.26,3409, -,0,0,3409, TCP 192.168.250.36, LindaC, KAZAA.EXE:2:4.90,
N, 8/18/2003, 22:49:42, fwsrv, RX_ISASERVER, -, -,
66.26.16.139,1550,110,0,0,1550, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:45, fwsrv, RX_ISASERVER, -, -,
24.206.146.220,3510, -,0,0,3510, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:48, fwsrv, RX_ISASERVER, -, -,
66.56.104.87,80, -,0,0,80, TCP 192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N,
8/18/2003, 22:49:59, fwsrv, RX_ISASERVER, -, -,
66.56.104.87,80,11005,0,0,80, TCP 192.168.250.36, LindaC, KAZAA.EXE:2:4.90,
N, 8/18/2003, 22:49:59, fwsrv, RX_ISASERVER, -, -,
24.128.158.140,1936,51,0,0,1936, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:50:02, fwsrv, RX_ISASERVER, -, -,
24.166.198.229,1114, -,0,0,1114, TCP 192.168.250.36, LindaC,
KAZAA.EXE:2:4.90, N, 8/18/2003, 22:50:04, fwsrv, RX_ISASERVER, -, -,
24.161.2.230,80, -,0,0,80, TCP


Can anyone tell me what all this outbound traffic is? Why so many IP
addresses in such a short amount of time? There are thousands of these
entry's over the course of 1 day.  This can't be normal Kazaa activity - can
it?

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list






More information about the list mailing list