[unisog] 10.10.10.10:36278

Brian Eckman eckman at umn.edu
Wed Feb 18 20:04:13 GMT 2004


Fred Portnoy wrote:
> Has anyone seen something like this? I've stopped over 14,000 of these in
> the last hour coming out of our ResNet. Here's a sample:
> 
> 14:02:49.983715 resnet172-163.zzzz.xxxx.2274 > 10.10.10.10.36278: S
> 348716395:348716395(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:50.027129 resnet172-163.zzzz.xxxx.2278 > 10.10.10.10.36278: S
> 351253825:351253825(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:50.514267 resnet168-238.zzzz.xxxx.4029 > 10.10.10.10.36278: S
> 450499653:450499653(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:50.660068 resnet172-163.zzzz.xxxx.2279 > 10.10.10.10.36278: S
> 351456133:351456133(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:51.104998 resnet172-163.zzzz.xxxx.2275 > 10.10.10.10.36278: S
> 349055959:349055959(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 14:02:51.208971 resnet172-163.zzzz.xxxx.2280 > 10.10.10.10.36278: S
> 351634594:351634594(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

It could be the demise of a P2P application called "Ares". 
http://www.softgap.com/ is the homepage. The first three hosts I looked 
at that were trying to connect to 10.10.10.10.36278 were all running 
this Ares software. It's possible there is a central server that this 
service runs through that just got its DNS entry pulled from it.

Still a guess for now, I should know more in 15-30 minutes (I hope).

Brian

-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."



More information about the unisog mailing list