Blocking Kazaa Connections

[Rev Jazzman]

Bad newx, Tiger...

There just aint no way to do it without setting up a major proxy service, and my poor 300mhz gateway just don't got the juice to manhandle it (without causing a serious bottleneck problem)...

At any rate, If you're interested in knowing, you CAN use a proxy service that will scan the contents of each passing packet, and drop the kazaa junk... But like I said, it's weighs heavy on the heart... (and it's a real arse to set up, too... )

From where I'm sitting, it's just not worth the trouble... I'll just start kicking butt...

Thankx for the helpz

Rev

[rapier57]

We take about three different tacks on this. KaZaa, Morpheus and other P2P systems must execute, so we can grab a signature from the executable and add it to our Key server (license keys) and award that signature a grand total of zero, zip, nadda licenses. Renaming the executable doesn't defeat this. Of course, you have to have all the signatures for all the different versions.

We also add the executable name (and/or the installer package name) to the "do not run" list in AD. That has limited effectiveness.

Otherwise, we monitor bandwidth at the router. The P2Ps have a "signature" that we can identify quickly. Kinda like the spikes for SETI@Home. P2P's start taking a percentage of the available pipe, and hold it at that level. Sniff the packets and find the offender. Nail the turkey to the wall and watch 'im or 'er squirm.

Oh, yeah, make sure you have a copy of the corporate AUP (acceptable use policy) that indicates those activities which result in termination. :-)

[seabass55]

http://www.lowth.com/p2pwall/

[groovicus]

This may be overly simplistic, but how about a little app that detects when Kazaa starts up, then immediately shuts down the system, or beeps incessantly, or just blacks out the screen until a combination of keys is pressed....

[Tedob1]

On the cheap you can get the pstool kit from systernals

bastard.bat
---------------------------
echo. >stations.txt
echo. >running.txt
echo. >results.txt
net view >>stations.txt
for /F "tokens=1" %%X in (stations.txt) do pslist -t %%X >>running.txt
find /I /C "kazaa" running.txt >>results.txt
notepad results.txt
---------------------------


if you get a number in results.txt open running.txt and do a find for kazaa to see who it is

or you could use fscan (foundstone) instead of pslist if its not an nt network

fscan -bp 80,1214 10.0.0.1-10.0.1.200 >>running.txt

what i like to is open a terminal using psexec \\station -s cmd and rename all the dlls in the kazaa folder D one one, net send 127.0.0.1 file sharing is against company policy, then pskill \\station kazaa although id like to say ive been lucky because ive only come accross one instance of bear share, but i get a charge out of doing this with IMs which i get allot of

[Rev Jazzman]

Tedob... I thought about implementing something like that where I have a doze box set up on a spare port just for this sort of thing, but I'd rather not ($$$)... Besides... I prefer the idea of traffic control rather than remote application control (I'm against any type of wide-open, backdoor service like that - "justified" or not... It's simply bad practice from a security standpoint...

Besides the potential security mess... It doesn't take a lot of brain to figure out ways around it. I'd rather have the WinIdiots come to me asking my why they can't get any traffic through... If I lock down their system after they installed/ran an app under a "nazi" environment, they'll know they've messed up and it's the Clinton dance all over again... I say, "Build the filter... They will come..."


Seabass...

Yer my new hero... That's the kind of thing that keeps me coming back for more... I can't believe I never came across the link... Now if I can just figure out how to get it setup on OpenBSD, I'll be good to go...

Thanx, all. Been real...

Rev

[Tedob1]

agreed this is no where near as good as what your talking about but i would like to point out that if your running an nt network your already wide open for these kind of tools. they use WMI and are not backdoors but run from your computer. there's nothing needed on the workstation side but nt. and as far as finding ways around it...they dont even know whats happening... i want them to know they're being watched

[seabass55]

Rev: There's another way to do it using iptables string matching. I've just started messing with it. Similar stuff (above layer 3) has been discussed ealier in this thread.

Seabass

[Rev Jazzman]

hmmm....

I agree with you on the point that any NT environment (doze environment) is wide open... My point is that WMI is just MS' proprietary name for a backdoor client (NT, XP, etc... are backdoors in and of themselves, but I hope we can simply agree to disagree here if nothing else). I'm too *NIX to care, anyway ...

I just don't want to have to use MS as a temporary solution... It's too expensive and it's against my religion...

I'm going to play with p2pwall and see what I can come up with... I'll let you all know how it turns out.

Thanx again for the inputs.

Cheers,

Rev

[Tedob1]

im sorry if i sounded disagreeable wasn't meant that way. i just didn't want you to think i was suggesting trojaning your workstations :] mr bill has already done a fine job of that!