eckman at umn.edu
Wed Feb 18 20:59:31 GMT 2004
Brian Eckman wrote:
> Fred Portnoy wrote:
>> Has anyone seen something like this? I've stopped over 14,000 of these in
>> the last hour coming out of our ResNet. Here's a sample:
>> 14:02:49.983715 resnet172-163.zzzz.xxxx.2274 > 10.10.10.10.36278: S
>> 348716395:348716395(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>> 14:02:50.027129 resnet172-163.zzzz.xxxx.2278 > 10.10.10.10.36278: S
>> 351253825:351253825(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>> 14:02:50.514267 resnet168-238.zzzz.xxxx.4029 > 10.10.10.10.36278: S
>> 450499653:450499653(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>> 14:02:50.660068 resnet172-163.zzzz.xxxx.2279 > 10.10.10.10.36278: S
>> 351456133:351456133(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>> 14:02:51.104998 resnet172-163.zzzz.xxxx.2275 > 10.10.10.10.36278: S
>> 349055959:349055959(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>> 14:02:51.208971 resnet172-163.zzzz.xxxx.2280 > 10.10.10.10.36278: S
>> 351634594:351634594(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> It could be the demise of a P2P application called "Ares".
> http://www.softgap.com/ is the homepage. The first three hosts I looked
> at that were trying to connect to 10.10.10.10.36278 were all running
> this Ares software. It's possible there is a central server that this
> service runs through that just got its DNS entry pulled from it.
> Still a guess for now, I should know more in 15-30 minutes (I hope).
I still can't prove a connection, but six of six hosts doing this
traffic on our network (that are not firewalled) are running Ares build
2926 or older. I installed Ares (current build 2939) on a lab machine
and was not able to duplicate this traffic, but it did try to make a
connection to another invalid 10.0.0.0/8 address, as well as a bunch of
hosts on 18.104.22.168/8 on port 8888/tcp, so I suspect Ares builds 2926 and
below are to blame.
Nothing seems to be wrong with the Ares network, so my assumption about
demise and possibly my assumption that this is DNS based is likely wrong.
To check for Ares, run nMap against the "infected" target. Telnet to
suspicious-looking high numbered ports that are open (it chooses a
random port), and enter
followed by two CRLFs (hit enter twice).
Hosts running Ares on that port will answer similar to:
HTTP/1.1 404 Not Found
Server: Ares 22.214.171.12417
The last four digits of the middle line are the build number.
Obviously, if the first port that you telnet to does not respond in this
fashion, try the next suspicious high-numbered port. Perhaps you'll find
their KaZaA information as well :)
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
More information about the unisog