It is currently Mon, 18 Mar 2024 20:34:36 GMT



 
Author Message
 Security issue with Napster?
A computer on my internal network initiated a connection to a napster
server, through my IP Masq'd Linux box. Immediately, thereafter, I get this
in my logs.

Feb 13 09:19:30 hal kernel: Packet log: input REJECT eth0 PROTO=6
208.178.163.61:3227 24.94.9.216:6699 L=60 S=0x00 I=31361 F=0x4000 T=48 SYN
(#7)
Feb 13 09:19:30 hal kernel: Packet log: input REJECT eth0 PROTO=6
208.178.163.61:3228 24.94.9.216:6700 L=60 S=0x00 I=31397 F=0x4000 T=48 SYN
(#7)

I can understand the connections on ports 6699 and 6700, but what about
below?

Feb 13 09:19:30 hal kernel: Packet log: input REJECT eth0 PROTO=6
208.178.163.61:3229 24.94.9.216:80 L=60 S=0x00 I=31403 F=0x4000 T=48 SYN
(#7)
Feb 13 09:19:30 hal kernel: Packet log: input REJECT eth0 PROTO=6
208.178.163.61:3230 24.94.9.216:21 L=60 S=0x00 I=31501 F=0x4000 T=48 SYN
(#7)
Feb 13 09:19:30 hal kernel: Packet log: input REJECT eth0 PROTO=6
208.178.163.61:3231 24.94.9.216:23 L=60 S=0x00 I=31503 F=0x4000 T=48 SYN
(#7)

Why in the world would they attempt connection on 80, 21, and 23? I also
emailed i...@napster.com . Hopefully I can get to the bottom of this.

Nslookup on the source IP shows non-existent host/domain, but ARIN shows the
IP is owned by Napster Inc.

-Tad



 Thu, 01 Aug 2002 03:00:00 GMT   
 Security issue with Napster?
I'd question if the ports are actually being attempted by Napster.  It would
seem more like packet collision.  Does it reproduce regularly?  I'd been
interested if you get any info on this..

Regards,
Decimal-3

news:seCp4.1374$Ob5.7033@typhoon1.san.rr.com...



 Fri, 02 Aug 2002 03:00:00 GMT   
 Security issue with Napster?
I have seen exactly this fingerprint for the Napster client.

This is indeed what the Napster client (software) does.

It tries to communicate over /any/ commonly available port.

23, 80, 21, 8080, 6699, 6700, and maybe others.

Erg....frustrating...

-M

--

:I'd question if the ports are actually being attempted by Napster.  It would
:seem more like packet collision.  Does it reproduce regularly?  I'd been
:interested if you get any info on this..
:
:Regards,
:Decimal-3
:
:news:seCp4.1374$Ob5.7033@typhoon1.san.rr.com...
:> A computer on my internal network initiated a connection to a napster
:> server, through my IP Masq'd Linux box. Immediately, thereafter, I get
:this
:> in my logs.
:>
:> Feb 13 09:19:30 hal kernel: Packet log: input REJECT eth0 PROTO=6
:> 208.178.163.61:3227 24.94.9.216:6699 L=60 S=0x00 I=31361 F=0x4000 T=48 SYN
:> (#7)
:> Feb 13 09:19:30 hal kernel: Packet log: input REJECT eth0 PROTO=6
:> 208.178.163.61:3228 24.94.9.216:6700 L=60 S=0x00 I=31397 F=0x4000 T=48 SYN
:> (#7)
:>
:> I can understand the connections on ports 6699 and 6700, but what about
:> below?
:>
:> Feb 13 09:19:30 hal kernel: Packet log: input REJECT eth0 PROTO=6
:> 208.178.163.61:3229 24.94.9.216:80 L=60 S=0x00 I=31403 F=0x4000 T=48 SYN
:> (#7)
:> Feb 13 09:19:30 hal kernel: Packet log: input REJECT eth0 PROTO=6
:> 208.178.163.61:3230 24.94.9.216:21 L=60 S=0x00 I=31501 F=0x4000 T=48 SYN
:> (#7)
:> Feb 13 09:19:30 hal kernel: Packet log: input REJECT eth0 PROTO=6
:> 208.178.163.61:3231 24.94.9.216:23 L=60 S=0x00 I=31503 F=0x4000 T=48 SYN
:> (#7)
:>
:> Why in the world would they attempt connection on 80, 21, and 23? I also
:> emailed i...@napster.com . Hopefully I can get to the bottom of this.
:>
:> Nslookup on the source IP shows non-existent host/domain, but ARIN shows
:the
:> IP is owned by Napster Inc.
:>
:> -Tad
:>
:>
:
:
:
:



 Fri, 02 Aug 2002 03:00:00 GMT   
 Security issue with Napster?

Martin A. Brown <mar...@wonderfrog.net> wrote in message
news:Pine.LNX.4.10.10002141818160.2969-100000@isolde.wi.securepipe.com...

This is definitely NOT the Napster client. Notice the connection is from a
Napster server to my external interface (eth0). My internal interface is
eth1. This was logged from a stand alone IP Masq/Firewall.

-Tad



 Sat, 03 Aug 2002 03:00:00 GMT   
 Security issue with Napster?

Nah, it wont be collision. Collisions occur at layer 2 and the colliding
frames are discarded (because they're erroneous) and would never be
passed to layer 3 for processing.

The log messages just look like normal connection attempts to
www/ftp/telnet ports. Someone's just poking around to see what you got.
When they start attempting to run exploits then mail ab...@napster.com (
or their upstream ISP if you get nowhere) otherwise just ignore it. I
get this type of stuff a few times a week.

Adam



 Mon, 05 Aug 2002 03:00:00 GMT   
 Security issue with Napster?

Hello Tad

I suspect that they are trying to subvert site policies. Since napster is
usually executed on a PC, it can easily bind priviledged ports like 80, 21, 22,
and 23 which are all more likely to be allowed through a border firewall
particularly if the corporate IT department does not communicate well with
departmental sysadmin staff or vice versa.

Napster's been a bit pissed at the community at large discussing how to block
their traffic to the point of threatening legal action against those who have
reverse engineered by network analysis (technically what you've just done by
associating your log entries with your run of napster), it's part of the EULA
that you check when you install the napster client/surredeptious server that
you would not reverse engineer the protocol. So if you ever figure out why
those connection attempts are being made then you've broken your Napster EULA
and could be sued (emailing them on this probably wasn't a good idea). I
wouldn't be surprised if newer versions try to find ways around typical site
napster blocks and bandwidth throttles.

I suppose the next level would be for napster to use dynamic DNS for each
client/trojan server that does get installed to also act as a distributed
co-ordination server in order to make it more difficult to block by increasing
the number of co-ordination access points and to distribute information as to
locating these access points via an established and likely unblocked protocol.
Uh-oh, I just publicly revealed to them how to be more of a pain in my A**.

Regards,
John



 Tue, 13 Aug 2002 03:00:00 GMT   
 
   [ 6 post ] 

Similar Threads

1. SGI Security Advisory 19970503-01-PX - runpriv Security Issue

2. possible security issue??

3. SECURITY ISSUES: Single user restriction at lilo boot:

4. security issue concerning isapnptools v.1.18 upgrade

5. Linux Network Security issue

6. vsftpd security issue

7. active-x security issues and firewall

8. Security issues by using RFC2217 Com-port control over TCP/IP

9. Security issues with NFS on web server

10. security issues for browser-based email


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software