[net_runner]

Im not sure what are scannig this boys, maybe it a worms, a virus, a new secret vuln... whatever, mi router catch a lot of scanning in this port... any suggestion?


thankz

[xlulux]

port 1214 is kazaA i think, capture the packets sent to your router and post, and keep looking for new worms, that is probibly it cause hackers dont just scan one port , that is mostly unknown

[net_runner]

i dont know how to capture packet, maybe you can teach me.
about 1214, yes is this network, kazaa/morpheus... (and i dont use this lame p2p)

[Kenny]

yeah kazaa port

if your new to sniffing then you might want to try this program for free

packetmon

http://www.analogx.c...etwork/pmon.htm

should help you

also i made a program in the programmers section called TROY .. might help you identify trojans and open ports

http://www.governmen...?showtopic=6248

[TedOb1]

xlulux is right 1214 is the default port for morphous/kazaa. you find this allot if your using dial-up. someone signs off that was sharing some popular files and your assigned that ip address when you sign on. to see for yourself scan a ip range for computers listening on 1214. fire-up telnet or netcat. telnet xx.xxx.xx.xxx 1214. enter "GET http/1.0 \n\n" some like to put another '/' between get and http but this works.

C:\>echo GET http/1.0 \n\n |nc -vv 172.147.xxx.62 1214
AC00000E.ipt.aol.com [172.147.xxx.62] 1214 (?) open
HTTP/1.0 501 Not Implemented
X-Kazaa-Username: lazygirl
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 172.147.xxx.62:1530
X-Kazaa-SupernodeIP: 172.128.xxx.108:2030

sent 20, rcvd 158: NOTSOCK

packetmon is great. but a word of advise, if your are using a modem to connect there's not a packet scanner on the market that will capture outgoing packets from your machine. you have to set up a gateway that dials up to connect and then set your computer to use a network connection to the gateway for internet access to use an outbound sniffer.

easy answer...set your firewall not to warn you of these connection attempts unless your running kazaa.

[eXist]

Check out fport, to see if it is actually infact Kazaa that's running. Someone may have other stuff installed on your computer and use this port as a simple "disguise". Also, if packetmon isn't to your liking, try getting snort, another open source packet sniffer.

[net_runner]

First, i wanna say thankz to xlulux, ComSec, TedOb1, eXist
second, packetmon rulz
third: im drunk :)


exist: is not necesary to run fport(great tool) the connection attemp is catched by the router and the router's real time logs is what im looking.

[net_runner]

packetmon catch this packet..

Quote

HEADER:
45 00 00 30 1B 02 40 00 6D 06 00 DC 52 D5 DD 6A  E..0..@.m...R..j
C0 A8 01 02 04 54 04 BE 00 03 1A A0 00 00 00 00  .....T..........
70 02 FF FF 6D E4 00 00                          p...m...       

DATA:
02 04 05 50 01 01 04 02                          ...P....       

how it can be interpreted?
what could it looking for?

pd: i started this topic becouse i detect a raising activity in port 1214...

[kenshin_efx]

try snort, is a sniffer.
www.google.cl ---> snort

[Kenny]

kenshin_efx, on Feb 9 2004, 02:25 AM, said:

try snort, is a sniffer.
www.google.cl ---> snort

i think from the reaction to his post :

Quote

dont know how to capture packet, maybe you can teach me

snort might just be a bit to advanced for a newbie...hence the easy starter with packetmon

jmo ;)

[kenshin_efx]

i will try packetmon, 10x for the tip ComSec.