[Dshield] WinLocate?

Kevin kkadow at gmail.com
Sat Oct 1 05:06:14 GMT 2005

Has anybody encountered "WinLocate": traffic in firewall reports?

According to their help page (http://www.winlocate.com/Help.htm),
the WinLocate application communicates with their servers on the
Internet (e.g. "log.winlocate.com") using UDP ports 37 and 514.

WinLocate is published by Solid Oak Software, makers of CYBERsitter
and other fine products. Their web site states:
        "WinLocate installs from the web in seconds and runs silently
        in the background so that there is no indication that computer
        activity is being logged.".

Winlocate is promoted for use by home users as well as corporate
network administrators.  Among other claims, they give the impression
that it is trivial to identify the street address from an IP address,
to recover a stolen laptop.

Although the application uses UDP/514, the default apparently does
not transmit normal syslog data, though the software can be  configured
into a "syslog compatible" mode.  Has anybody seen WinLocate traffic
on your network, and is there any indication that the packets are
digitally signed or encrypted in any way?


Kevin Kadow

More information about the list mailing list