Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Security hole in Morpheus

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Posts
    356

    Post Security hole in Morpheus

    'Dangerous' hole discovered in Morpheus

    MP3 fans using the Morpheus file-swapping service risk having their personal details exposed online, according to security experts.
    Morpheus in now the most popular file-swapping service on the Internet. The security hole means that the personal details of millions of people are now at risk of exposure. According to the Web site of MusicCity--the company that created Morpheus--more than nine million copies of the client have been downloaded.

    MusicCity Networks could not be contacted for comment.

    A new security hole has been discovered in the peer-to-peer file-sharing application, which allows a random list to be generated of people using the service. A malicious hacker could then access the computers of those users and copy files from anywhere on their hard disk. Usually, Morpheus only allows access to files placed in a specific folder, like other peer to peer file-sharing clients.

    The privacy risk was reported to BBC News Online by a group of security experts, who are choosing to remain anonymous. They have described the exploit as "very dangerous", and have warned that this could make every Morpheus user's computer available to anyone who wants to access it.

    The Morpheus peer-to-peer application allows users to search for digital media, such as music and videos, on the MusicCity network. The service also allows content providers to deploy third-party digital rights management technology to protect their copyright works. This protects the copyrights of artists involved, and has helped it to prevent a Napster-style shutdown.

    http://zdnet.com.com/2100-1106-828592.html
    An Ounce of Prevention is Worth a Pound of Cure...
     

  2. #2
    Member D.J.'s Avatar
    Join Date
    Nov 2001
    Location
    SC
    Posts
    62
    do you know how this is done? i have morpheus. i would like to protect my computer from this.
    D. J.

  3. #3
    Junior Member
    Join Date
    Nov 2001
    Posts
    4
    First off.. Turn off File-Sharing.
    Second. Morpheus shouldent ''show the user'' on the search list cause if you just follow a lil click on the user then you can easily trace and monitor the package.

    So Morpheus. - take out the show user feature.

    /artic.
    Chirp. ?!

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    I saw this article and freaked. Everyone I know, including myself uses Morpheus, so I was pretty surprised to read that there is such a serious hole in the program. That really sucks.

    I think I will be writing MusicCity and ask what they plan on doing about this. A patch would really be appreciated.
    An Ounce of Prevention is Worth a Pound of Cure...
     

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    Ive searched high and low for more info on this warning but theirs nothing there. general concensus seems to be that this is a rumor started by the record industry to stem file sharing.
    they might be right.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Posts
    409

    Is this the Hole?

    I am not sure if this is the hole that has been reported. I have known about this for quite some time. But i'll paste it anyway, i'm sure someone will tell me if it is old news or not
    Hello, I wrote this text file just because I felt like typing and because a lot of people use morpheus and don't know they can be "hacked". Morpheus and Kazaa are a big comunity just like Napster and some other. This file explains a hole found by me (just_a_dude) which later on I discovered someone else had found it already but I felt like writting a text file about
    it so here it goes. I'll be referring to Morpheus/Kazza as M/K.
    Morpheus/KaZaA
    savIRC :: The Multi-Platform IRC Client v. 1.8 [Released 9.04.02]

  7. #7
    Senior Member
    Join Date
    Jul 2001
    Posts
    420
    I'm not sure how available files in non-shared directories are. I will experiment with this when I am off the corporate network. It seems that if I do netstat -a and get a list of systems I am connecting to I can then either do ftp <IP> and attempt a logon or net use <ip> or map network drive <ip> with the second 2 choices I will only see files in shared folders. It is a security hole but a simple enough patch is disable sharing in drives/directories you don't want outsiders to see (I think by default 2000/nt c drive is shared -thank you m$).

    Cheers,
    -D

  8. #8
    Junior Member
    Join Date
    Jan 2002
    Posts
    1

    Talking

    Morpheus file sharing is just like when I was a kid. I got a new walkman for my b-day and

    when I borrowed my friends cassette to listen to it got tangled up, ate the cassette and

    broke my walkman. maybe the metallica scrooge was right, u SHOULD buy c.d.'s. and software
    Just to be safe (not that anyone ever wil again) N.

  9. #9
    Senior Member
    Join Date
    Aug 2001
    Posts
    356
    Originally posted by dspeidel
    (I think by default 2000/nt c drive is shared -thank you m$)
    yes, c is shared by default. its under the name c$. you need admin access to get into it. if it werent there and you had admin access you could easily enough create it. for once, i dont think there is anything wrong with what microsuck did.
    -8-

    There are 10 types of people in this world: those who understand binary, and those who dont.

  10. #10
    Banned
    Join Date
    Nov 2001
    Posts
    188
    this way(i wouldn't call it exlpoiting morpheus) gives you via a web browser a list of everything that person has on morpheus, which is a feature they have anyway. what you do is make a connection with somebody(download/upload) and in DOS run netstat -n command to get their ip. then in your browser just connect to their ip on port 1214."http://x.x.x.x.:1214" the x's being the ip.

    how this relates to the leeching of someones c:/ drive, i dont know.


    "edit"

    I am not sure if this is the hole that has been reported. I have known...
    i guess someone beat me to it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •