Well, shit, even if no one else is doing it yet, it sounds like a pretty
good idea to me! I say we do it.
E
On Thu, 31 May 2001, Daniel Trudell wrote:
> ok, so maybe this could be called "entry n in the diary of a
> /var/log/messages junkie"
>
> Gnutella's port is 6346. As a brief refresher....gnutella is like napster
> with no central server. every peer is also a search server.
>
> So anyway....it's fairly disributed, and you can make your own client,
> seeing as how the protocol is open source. Well, a common way to beat
> intrusion detection is to do each probe from a seperate IP. I've started
> to see denied packets (oh miraculous tcpwrappers, I worship thee) in my
> logs with a source port of 6346 (gnutty) and high level dest ports
> corresponding to various proxy servers.
>
> So with enough paranoia, tequila and inference it becomes possible that
> people are using gnutella to distribute the sources of sweeps and scans,
> thereby beating IDS's. It is also possible that a gnutty client out there
> has a very agressive discovery phase implementation.
>
> Anybody noticed anything similar? It seems much more efficiant than
> cracking boxen to launder identity...dupe people into running your scanner
> in the background by giving them trojaned gnutella clients...or at least
> superimposing your probe on top of a gnutella request.
>
> tack
>
> -------------------------------------------------------
> "My Penguin style Kung-Fu will beat your Redmond style"
>
>
