Re: [gtk-gnutella-devel] More security violations

Lloyd Bryant Mon, 08 Oct 2007 16:32:47 -0700

Christian Bierre wrote:
>
> Lloyd Bryant wrote:
>> And I've got several more sources doing exactly the same thing:
>
>> 64.62.210.2
>> 64.62.210.3
>> 64.62.210.4
>> 64.62.210.66
>> 64.62.210.67
>> 64.62.210.68
>>
>> 78.129.136.194
>> 78.129.136.195
>
> Do you have any more information e.g., some sample query hits?
>
> Is this a typo? It belongs to a university unrelated to the above addresses.
>> 78.128.136.196


Yes - that one was a typo - should have been 78.129.136.196
>
>> Tracerouting them shows the 64.62.210.x addresses route via Hurricane
>> Electric (no surprise there), while the 78.129.136.x addresses route via
>> RapidSwitch (which we've already got a couple of "hostiles.txt" entries on).
>
> You don't have to traceroute them. That's also *dangerous* because they can 
> see
> that. whoooooo! Just use whois. Sometimes the hosters/ISPs even run a whois
> server and you can check which business/individual the range is assigned to 
> which
> helps to correlate things.

Thanks for the tip.

Here's the "more info" you requested:
* * * * * 
07-10-08 15:31:37 (WARNING): [weird #1] node 64.62.210.195:12480 
(LimeWire/4.12.8) advertised 64.62.210.195 but now says Query Hits from 
193.23.174.86:48294
----------------- Query Hit Data (weird):
Offset  0  1  2  3  4  5  6  7   8  9  a  b  c  d  e  f  0123456789abcdef
    0  03 a6 bc c1 17 ae 56 04  10 00 00 1a 00 00 00 20  ......V.........
   16  1d 30 00 30 32 5f 2d 5f  69 74 27 73 20 61 6c 72  .0.02_-_it's.alr
   32  69 67 68 74 2e 6d 70 33  00 75 72 6e 3a 73 68 61  ight.mp3.urn:sha
   48  31 3a 54 50 42 32 56 4a  4d 36 44 4f 46 34 46 32  1:TPB2VJM6DOF4F2
   64  43 4c 34 57 47 4e 55 50  43 33 57 57 55 50 4f 4b  CL4WGNUPC3WWUPOK
   80  4b 48 1c c3 82 43 54 44  80 6d 18 45 00 57 00 00  KH...CTD.m.E.W..
   96  00 40 6a 21 00 30 32 2d  49 74 27 73 20 41 6c 72  [EMAIL PROTECTED]'s.Alr
  112  69 67 68 74 5f 31 32 38  5f 6c 61 6d 65 5f 63 62  ight_128_lame_cb
  128  72 28 61 6c 62 75 6d 20  76 65 72 73 69 6f 6e 29  r(album.version)
  144  2e 6d 34 61 00 75 72 6e  3a 73 68 61 31 3a 4d 51  .m4a.urn:sha1:MQ
  160  4a 53 32 32 58 58 53 32  45 43 43 32 43 4f 4e 47  JS22XXS2ECC2CONG
  176  32 4e 42 49 47 42 57 57  52 52 4f 4b 4b 48 1c c3  2NBIGBWWRROKKH..
  192  82 43 54 44 80 6d 18 45  00 56 00 00 00 90 ee 30  .CTD.m.E.V.....0
  208  00 30 32 2d 69 74 27 73  20 61 6c 72 69 67 68 74  .02-it's.alright
  224  2d 31 36 30 5f 6c 61 6d  65 5f 63 62 72 2e 6d 34  -160_lame_cbr.m4
  240  61 00 75 72 6e 3a 73 68  61 31 3a 54 33 32 51 4a  a.urn:sha1:T32QJ

Offset  0  1  2  3  4  5  6  7   8  9  a  b  c  d  e  f  0123456789abcdef
  256  48 4f 34 32 36 46 49 33  47 55 32 4d 57 34 4c 49  HO426FI3GU2MW4LI
  272  32 32 54 50 52 55 51 4f  4b 4b 48 1c c3 82 43 54  22TPRUQOKKH...CT
  288  44 80 6d 18 45 00 4c 49  4d 45 04 3c 39 69 01 01  D.m.E.LIME..I
  672  a4 e3 25 ae 3d 4f eb ff  7c 05 3e a6 01 96 00     ..%.=O..|.>....
----------------- (687 bytes).
07-10-08 15:31:37 (WARNING): [weird #2] Node 64.62.210.195:12480 
(LimeWire/4.12.8) has GUID 49a4e325ae3d4febff7c053ea6019600 but used 
5baae3910b1c4f70ffe0057dff01f700 in Q-Hit (699 bytes) [hops=1, TTL=4]
07-10-08 15:31:37 (WARNING): [weird #3] node 64.62.210.195:12480 
(LimeWire/4.12.8) advertised 193.23.174.86 but now says Query Hits from 
68.37.223.25:16182

* * * * *

07-10-08 15:32:36 (WARNING): [weird #1] node 64.62.210.194:52768 
(LimeWire/4.12.8) advertised 64.62.210.194 but now says Query Hits from 
84.62.244.173:23094
----------------- Query Hit Data (weird):
Offset  0  1  2  3  4  5  6  7   8  9  a  b  c  d  e  f  0123456789abcdef
    0  03 36 5a 54 3e f4 ad 2c  01 00 00 59 00 00 00 c0  .6ZT>..,...Y....
   16  95 2c 00 31 37 2e 20 6c  69 67 68 74 20 6d 79 20  .,.17..light.my.
   32  66 69 72 65 2e 6d 34 61  00 75 72 6e 3a 73 68 61  fire.m4a.urn:sha
   48  31 3a 47 4e 4f 56 32 52  58 32 53 4d 32 32 37 48  1:GNOV2RX2SM227H
   64  52 4a 32 53 58 36 32 4f  41 32 53 50 51 55 4f 4e  RJ2SX62OA2SPQUON
   80  50 4f 1c c3 82 43 54 44  80 6d 18 45 00 33 00 00  PO...CTD.m.E.3..
   96  00 b0 8b 36 00 4c 69 67  68 74 20 4d 79 20 46 69  ...6.Light.My.Fi
  112  72 65 2d 55 62 34 30 2e  77 6d 61 00 75 72 6e 3a  re-Ub40.wma.urn:
  128  73 68 61 31 3a 34 37 46  57 36 54 32 34 36 32 49  sha1:47FW6T2462I
  144  4e 50 43 4b 45 52 51 32  57 42 33 35 54 56 55 52  NPCKERQ2WB35TVUR
  160  53 4f 4e 54 4f 1c c3 82  43 54 44 80 6d 18 45 00  SONTO...CTD.m.E.
  176  4b 00 00 00 c0 85 96 00  4c 69 67 68 74 20 4d 79  K.......Light.My
  192  20 46 69 72 65 20 2d 20  55 62 34 30 20 2d 20 74  .Fire.-.Ub40.-.t
  208  6f 72 72 65 6e 74 61 7a  6f 73 2e 63 6f 6d 2e 77  orrentazos.com.w
  224  6d 61 00 75 72 6e 3a 73  68 61 31 3a 4d 58 37 4c  ma.urn:sha1:MX7L
  240  49 41 32 45 50 36 4f 4a  56 56 49 51 33 36 52 4e  IA2EP6OJVVIQ36RN

Offset  0  1  2  3  4  5  6  7   8  9  a  b  c  d  e  f  0123456789abcdef
  256  4f 33 45 44 50 54 56 53  4f 4e 57 4f 1c c3 82 43  O3EDPTVSONWO...C
  272  54 44 80 6d 18 45 00 4c  49 4d 45 04 3c 39 35 01  TD.m.E.LIME.<
  400  61 75 64 69 6f 20 74 69  74 6c 65 3d 22 4c 69 67  audio.title="Lig
  416  68 74 20 4d 79 20 46 69  72 65 22 20 73 65 63 6f  ht.My.Fire".seco
  432  6e 64 73 3d 22 32 32 35  22 20 62 69 74 72 61 74  nds="225".bitrat
  448  65 3d 22 39 36 22 20 69  6e 64 65 78 3d 22 30 22  e="96".index="0"
  464  2f 3e 3c 61 75 64 69 6f  20 61 72 74 69 73 74 3d  />.....
  608  a6 fa 4f c6 ff 5e 05 a7  f1 00 3b 00              ..O..^....;.
----------------- (620 bytes).
07-10-08 15:32:36 (WARNING): [weird #2] Node 64.62.210.194:52768 
(LimeWire/4.12.8) has GUID a49ae312a6fa4fc6ff5e05a7f1003b00 but used 
d19be3372bbf4fe3fff905c494006800 in Q-Hit (685 bytes) [hops=1, TTL=4]
07-10-08 15:32:36 (WARNING): [weird #3] node 64.62.210.194:52768 
(LimeWire/4.12.8) advertised 84.62.244.173 but now says Query Hits from 
24.230.44.159:18941

* * * * *

It's the same behaviour as before - The nodes are sending query hits with 
varying IP addresses.  For each of these, I get the exact same pattern, until 
it hits MAX_WEIRD_MSG and is disconnected with a security violation.  So far, 
all of the query hits have been for audio files (mp3, wma, m4a).

Note that all of these report the same vendor (Limewire 4.12.8).

And I've picked up a couple of new ones. Here's the full list of addresses 
(with ports) that I've caught in this behavior:

64.62.210.2:2668
64.62.210.2:3308
64.62.210.2:34200
64.62.210.2:39036
64.62.210.2:43610
64.62.210.2:48895
64.62.210.2:50769
64.62.210.2:56321
64.62.210.2:57196
64.62.210.2:60001
64.62.210.3:21777
64.62.210.3:32085
64.62.210.3:42775
64.62.210.3:44404
64.62.210.3:58403
64.62.210.4:49107
64.62.210.4:52713
64.62.210.4:55577
64.62.210.4:60984

64.62.210.66:2482
64.62.210.66:4753
64.62.210.66:63098
64.62.210.66:64201
64.62.210.67:10070
64.62.210.67:12497
64.62.210.67:33383
64.62.210.67:37377
64.62.210.67:42784
64.62.210.67:52350
64.62.210.68:12316
64.62.210.68:30965
64.62.210.68:39403
64.62.210.68:42283
64.62.210.68:51446
64.62.210.68:54860
64.62.210.68:64875

64.62.210.194:18219
64.62.210.194:29079
64.62.210.194:46586
64.62.210.194:8269
64.62.210.195:15423
64.62.210.195:21109
64.62.210.195:21295
64.62.210.195:33465
64.62.210.195:33544
64.62.210.195:40568
64.62.210.195:42204
64.62.210.195:59786
64.62.210.195:8736
64.62.210.196:1203
64.62.210.196:12875
64.62.210.196:15054
64.62.210.196:19510
64.62.210.196:24982
64.62.210.196:25451
64.62.210.196:37360
64.62.210.196:41339
64.62.210.196:41684
64.62.210.196:63747

64.62.214.66:61718
64.62.214.66:65244
64.62.214.66:8734
64.62.214.67:16583
64.62.214.67:37236
64.62.214.67:39182
64.62.214.68:11865
64.62.214.68:22690
64.62.214.68:30510
64.62.214.68:52299
64.62.214.68:7758

78.129.136.194:14112
78.129.136.194:14506
78.129.136.194:17646
78.129.136.194:30975
78.129.136.194:59832
78.129.136.194:60668
78.129.136.194:64981
78.129.136.195:14258
78.129.136.195:15823
78.129.136.195:57627
78.129.136.195:62307
78.129.136.195:7942
78.129.136.196:21222
78.129.136.196:29123
78.129.136.196:40755
78.129.136.196:42916
78.129.136.228:1669
78.129.136.228:47797
78.129.136.228:52646

The 64.62.210.x addresses are Hurricane Electric.  The 64.62.214.x addresses 
trace back to a "Michael Dillon" using "radianz.com" as an ISP.  The 
78.129.136.x addresses seem to belong to "Darkstar Management", with 
RapidSwitch as the ISP.

Let me know if you need more detail.  I've currently got a 58Mb "errors" file, 
which should provide enough detail for just about anything :-)

Lloyd B.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
gtk-gnutella-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/gtk-gnutella-devel

Re: [gtk-gnutella-devel] More security violations

Reply via email to