[unisog] New Peer to Peer program?

Kaiser, Russell Kaiser at mail.psc.sc.edu
Tue Oct 8 20:55:47 GMT 2002


This software is a Korean file sharing program called Soribada.
It is found at http://www.soribada.com.  We have been seing
it on our network lately.  I had a friend who knows Korean
run the program (while I was running tcpdump) to confirm this.
This service was shutdown in July and apparently reopened
sometime in August.  Here is an article about the reopening:

http://www.hankooki.com/kt_tech/200208/t2002082517182345110.htm

The software seems to use ports 22321 UDP and 7674 UDP
heavily as that tends to show up the most.  We tested
the latest version.  I believe there previous version
used a different port number (udp 9001 I believe).  The
version we tested was downloaded this afternoon.

Russell Kaiser
College of Science and Mathematics
University of South Carolina
Phone: (803)777-5838 FAX: (803)777-2136
Email:  kaiser at sc.edu 

-----Original Message-----
From: E. Larry Lidz [mailto:ellidz at eridu.uchicago.edu] 
Sent: Tuesday, October 08, 2002 12:23 PM
To: unisog at sans.org
Subject: [unisog] New Peer to Peer program?



We've started to see considerable traffic on udp ports 7674 and 22321.
Taking a quick look, the machine which are doing this traffic are also
listening on tcp 7675, 7677 and 22321. A quick look at our Argus logs show
that connections to tcp 7675 usually start with "GETMP3 <filename>". 

Is this a new peer to peer program, or part of an older one that I'm
unfamiliar with? Google isn't shedding any light on the situation.

-Larry

---
E. Larry Lidz                                        Phone: +1 773 702-2208
Sr. Network Security Officer                         Fax:   +1 773 834-8444
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml


More information about the unisog mailing list