ok, so maybe this could be called "entry n in the diary of a
/var/log/messages junkie"
Gnutella's port is 6346. As a brief refresher....gnutella is like napster
with no central server. every peer is also a search server.
So anyway....it's fairly disributed, and you can make your own client,
seeing as how the protocol is open source. Well, a common way to beat
intrusion detection is to do each probe from a seperate IP. I've started
to see denied packets (oh miraculous tcpwrappers, I worship thee) in my
logs with a source port of 6346 (gnutty) and high level dest ports
corresponding to various proxy servers.
So with enough paranoia, tequila and inference it becomes possible that
people are using gnutella to distribute the sources of sweeps and scans,
thereby beating IDS's. It is also possible that a gnutty client out there
has a very agressive discovery phase implementation.
Anybody noticed anything similar? It seems much more efficiant than
cracking boxen to launder identity...dupe people into running your scanner
in the background by giving them trojaned gnutella clients...or at least
superimposing your probe on top of a gnutella request.
tack
-------------------------------------------------------
"My Penguin style Kung-Fu will beat your Redmond style"
