Brian Eckman eckman at umn.edu
Wed Feb 18 20:59:31 GMT 2004

Brian Eckman wrote:
> Fred Portnoy wrote:
>> Has anyone seen something like this? I've stopped over 14,000 of these in
>> the last hour coming out of our ResNet. Here's a sample:
>> 14:02:49.983715 resnet172-163.zzzz.xxxx.2274 > S
>> 348716395:348716395(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>> 14:02:50.027129 resnet172-163.zzzz.xxxx.2278 > S
>> 351253825:351253825(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>> 14:02:50.514267 resnet168-238.zzzz.xxxx.4029 > S
>> 450499653:450499653(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>> 14:02:50.660068 resnet172-163.zzzz.xxxx.2279 > S
>> 351456133:351456133(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>> 14:02:51.104998 resnet172-163.zzzz.xxxx.2275 > S
>> 349055959:349055959(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>> 14:02:51.208971 resnet172-163.zzzz.xxxx.2280 > S
>> 351634594:351634594(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> It could be the demise of a P2P application called "Ares". 
> http://www.softgap.com/ is the homepage. The first three hosts I looked 
> at that were trying to connect to were all running 
> this Ares software. It's possible there is a central server that this 
> service runs through that just got its DNS entry pulled from it.
> Still a guess for now, I should know more in 15-30 minutes (I hope).
> Brian

I still can't prove a connection, but six of six hosts doing this 
traffic on our network (that are not firewalled) are running Ares build 
2926 or older. I installed Ares (current build 2939) on a lab machine 
and was not able to duplicate this traffic, but it did try to make a 
connection to another invalid address, as well as a bunch of 
hosts on on port 8888/tcp, so I suspect Ares builds 2926 and 
below are to blame.

Nothing seems to be wrong with the Ares network, so my assumption about 
demise and possibly my assumption that this is DNS based is likely wrong.

To check for Ares, run nMap against the "infected" target. Telnet to 
suspicious-looking high numbered ports that are open (it chooses a 
random port), and enter


followed by two CRLFs (hit enter twice).

Hosts running Ares on that port will answer similar to:

HTTP/1.1 404 Not Found
Server: Ares
Connection: Keep-Alive

The last four digits of the middle line are the build number.

Obviously, if the first port that you telnet to does not respond in this 
fashion, try the next suspicious high-numbered port. Perhaps you'll find 
their KaZaA information as well :)

Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the unisog mailing list