[Dshield] Kazaa Strange Activity - Question

Leone, Michael michael_leone at merck.com
Thu Aug 21 19:00:45 GMT 2003


Searching for songs/movies/porn/mcat exam cheat sheets/Jimmy Hoffa


--
Michael C. Leone
Lab Automation and Data Integration
Information Services for Basic Research
Michael_Leone at merck.com
Work: 732-594-3900
Cell: 908-278-9387

-----Original Message-----
From: Yevette Maurer [mailto:yevettem at gsmt.com] 
Sent: Thursday, August 21, 2003 2:28 PM
To: list at dshield.org
Subject: [Dshield] Kazaa Strange Activity - Question


I was wondering if anyone could help me with a Kazaa question? I am not
familiar with it, except that I know it is a breading ground for Trojans and
Viruses. We have laptop users connected to our network (Real Estate agents
that pay us for internet connectivity). Our firewall is Microsoft ISA
server. The following was found in the ISA server logs:

192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:48:42, fwsrv,
RX_ISASERVER, -, -, 24.190.172.29,1672, -,0,0,1672, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:48:45, fwsrv,
RX_ISASERVER, -, -, 65.25.147.93,3798, -,0,0,3798, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:48:47, fwsrv,
RX_ISASERVER, -, -, 24.184.49.94,2376,101,0,0,2376, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:48:52, fwsrv,
RX_ISASERVER, -, -, 66.41.85.58,3018, -,0,0,3018, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:48:55, fwsrv,
RX_ISASERVER, -, -, 24.247.132.52,80, -,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:05, fwsrv,
RX_ISASERVER, -, -, 24.247.132.52,80,10065,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:05, fwsrv,
RX_ISASERVER, -, -, 24.186.122.98,80,10,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:15, fwsrv,
RX_ISASERVER, -, -, 24.186.122.98,80,10034,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:15, fwsrv,
RX_ISASERVER, -, -, 66.30.180.171,2415,251,0,0,2415, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:18, fwsrv,
RX_ISASERVER, -, -, 24.161.226.72,1039, -,0,0,1039, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:21, fwsrv,
RX_ISASERVER, -, -, 24.185.19.243,2781,100,0,0,2781, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:23, fwsrv,
RX_ISASERVER, -, -, 24.74.37.116,80,10,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:23, fwsrv,
RX_ISASERVER, -, -, 24.74.37.116,80,10,0,1172,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:24, fwsrv,
RX_ISASERVER, -, -, 24.188.202.237,2333, -,0,0,2333, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:26, fwsrv,
RX_ISASERVER, -, -, 66.24.39.69,80, -,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:36, fwsrv,
RX_ISASERVER, -, -, 66.24.39.69,80,10084,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:37, fwsrv,
RX_ISASERVER, -, -, 12.218.57.197,2342,200,0,0,2342, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:39, fwsrv,
RX_ISASERVER, -, -, 24.188.12.26,3409, -,0,0,3409, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:42, fwsrv,
RX_ISASERVER, -, -, 66.26.16.139,1550,110,0,0,1550, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:45, fwsrv,
RX_ISASERVER, -, -, 24.206.146.220,3510, -,0,0,3510, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:48, fwsrv,
RX_ISASERVER, -, -, 66.56.104.87,80, -,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:59, fwsrv,
RX_ISASERVER, -, -, 66.56.104.87,80,11005,0,0,80, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:49:59, fwsrv,
RX_ISASERVER, -, -, 24.128.158.140,1936,51,0,0,1936, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:50:02, fwsrv,
RX_ISASERVER, -, -, 24.166.198.229,1114, -,0,0,1114, TCP
192.168.250.36, LindaC, KAZAA.EXE:2:4.90, N, 8/18/2003, 22:50:04, fwsrv,
RX_ISASERVER, -, -, 24.161.2.230,80, -,0,0,80, TCP


Can anyone tell me what all this outbound traffic is? Why so many IP
addresses in such a short amount of time? There are thousands of these
entry's over the course of 1 day.  This can't be normal Kazaa activity - can
it?

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

------------------------------------------------------------------------------
Notice:  This e-mail message, together with any attachments, contains
information of Merck & Co., Inc. (Whitehouse Station, New Jersey, USA), and/or
its affiliates (which may be known outside the United States as Merck Frosst,
Merck Sharp & Dohme or MSD) that may be confidential, proprietary copyrighted
and/or legally privileged, and is intended solely for the use of the
individual or entity named on this message.  If you are not the intended
recipient, and have received this message in error, please immediately return
this by e-mail and then delete it.
------------------------------------------------------------------------------




More information about the list mailing list