[unisog] New Peer to Peer program?
Kaiser at mail.psc.sc.edu
Tue Oct 8 20:55:47 GMT 2002
This software is a Korean file sharing program called Soribada.
It is found at http://www.soribada.com. We have been seing
it on our network lately. I had a friend who knows Korean
run the program (while I was running tcpdump) to confirm this.
This service was shutdown in July and apparently reopened
sometime in August. Here is an article about the reopening:
The software seems to use ports 22321 UDP and 7674 UDP
heavily as that tends to show up the most. We tested
the latest version. I believe there previous version
used a different port number (udp 9001 I believe). The
version we tested was downloaded this afternoon.
College of Science and Mathematics
University of South Carolina
Phone: (803)777-5838 FAX: (803)777-2136
Email: kaiser at sc.edu
From: E. Larry Lidz [mailto:ellidz at eridu.uchicago.edu]
Sent: Tuesday, October 08, 2002 12:23 PM
To: unisog at sans.org
Subject: [unisog] New Peer to Peer program?
We've started to see considerable traffic on udp ports 7674 and 22321.
Taking a quick look, the machine which are doing this traffic are also
listening on tcp 7675, 7677 and 22321. A quick look at our Argus logs show
that connections to tcp 7675 usually start with "GETMP3 <filename>".
Is this a new peer to peer program, or part of an older one that I'm
unfamiliar with? Google isn't shedding any light on the situation.
E. Larry Lidz Phone: +1 773 702-2208
Sr. Network Security Officer Fax: +1 773 834-8444
Network Security Center, The University of Chicago
More information about the unisog