net_runner
Feb 7 2004, 05:09 PM
Im not sure what are scannig this boys, maybe it a worms, a virus, a new secret vuln... whatever, mi router catch a lot of scanning in this port... any suggestion?
thankz
xlulux
Feb 7 2004, 05:43 PM
port 1214 is kazaA i think, capture the packets sent to your router and post, and keep looking for new worms, that is probibly it cause hackers dont just scan one port , that is mostly unknown
net_runner
Feb 7 2004, 05:58 PM
i dont know how to capture packet, maybe you can teach me.
about 1214, yes is this network, kazaa/morpheus... (and i dont use this lame p2p)
ComSec
Feb 7 2004, 06:30 PM
yeah kazaa port
if your new to sniffing then you might want to try this program for free
packetmon
http://www.analogx.com/contents/download/network/pmon.htmshould help you
also i made a program in the programmers section called TROY .. might help you identify trojans and open ports
http://www.governmentsecurity.org/forum/in...?showtopic=6248
TedOb1
Feb 7 2004, 08:30 PM
xlulux is right 1214 is the default port for morphous/kazaa. you find this allot if your using dial-up. someone signs off that was sharing some popular files and your assigned that ip address when you sign on. to see for yourself scan a ip range for computers listening on 1214. fire-up telnet or netcat. telnet xx.xxx.xx.xxx 1214. enter "GET http/1.0 \n\n" some like to put another '/' between get and http but this works.
C:\>echo GET http/1.0 \n\n |nc -vv 172.147.xxx.62 1214
AC00000E.ipt.aol.com [172.147.xxx.62] 1214 (?) open
HTTP/1.0 501 Not Implemented
X-Kazaa-Username: lazygirl
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 172.147.xxx.62:1530
X-Kazaa-SupernodeIP: 172.128.xxx.108:2030
sent 20, rcvd 158: NOTSOCK
packetmon is great. but a word of advise, if your are using a modem to connect there's not a packet scanner on the market that will capture outgoing packets from your machine. you have to set up a gateway that dials up to connect and then set your computer to use a network connection to the gateway for internet access to use an outbound sniffer.
easy answer...set your firewall not to warn you of these connection attempts unless your running kazaa.
eXist
Feb 8 2004, 06:37 AM
Check out fport, to see if it is actually infact Kazaa that's running. Someone may have other stuff installed on your computer and use this port as a simple "disguise". Also, if packetmon isn't to your liking, try getting snort, another open source packet sniffer.
net_runner
Feb 8 2004, 04:04 PM
First, i wanna say thankz to xlulux, ComSec, TedOb1, eXist
second, packetmon rulz
third: im drunk
exist: is not necesary to run fport(great tool) the connection attemp is catched by the router and the router's real time logs is what im looking.
net_runner
Feb 8 2004, 04:48 PM
packetmon catch this packet..
| QUOTE |
HEADER:
45 00 00 30 1B 02 40 00 6D 06 00 DC 52 D5 DD 6A E..0..@.m...R..j
C0 A8 01 02 04 54 04 BE 00 03 1A A0 00 00 00 00 .....T..........
70 02 FF FF 6D E4 00 00 p...m...
DATA:
02 04 05 50 01 01 04 02 ...P....
|
how it can be interpreted?
what could it looking for?
pd: i started this topic becouse i detect a raising activity in port 1214...
kenshin_efx
Feb 9 2004, 02:25 AM
try snort, is a sniffer.
www.google.cl ---> snort
ComSec
Feb 9 2004, 04:24 AM
| QUOTE (kenshin_efx @ Feb 9 2004, 02:25 AM) |
try snort, is a sniffer.
www.google.cl ---> snort |
i think from the reaction to his post :
| QUOTE |
| dont know how to capture packet, maybe you can teach me |
snort might just be a bit to advanced for a newbie...hence the easy starter with packetmon
jmo
kenshin_efx
Feb 9 2004, 05:29 PM
i will try packetmon, 10x for the tip ComSec.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
