Thu Nov 23 16:36:19 EST 2017
"tsadbot.exe". From looking around for a few minutes it looks like the
program comes with some/one of the versions of pkZip.
Link to a giac pratctical with a detect on this.
----- Original Message -----
From: "Kenneth G. Arnold" <bkarnold at ...8060...>
To: <snort-users at lists.sourceforge.net>
Sent: Saturday, April 05, 2003 8:25 PM
Subject: Re: [Snort-users] ICMP PING NMAP to 184.108.40.206
> We don't have a timeout option that would log them out with no activity
> for a certain period of time so there would be no reason to have such an
> app for us. It is possible that they may have it installed for AOL and it
> is always running. It seems excessive to ping twice every 2-3 seconds for
> such an application, however. Every modem connection generates a separate
> IP address but I have traced this to at least three different users.
> arin.net shows
> PSI PSINET-B-1 (NET-149-1-0-0-1)
> 220.127.116.11 - 18.104.22.168
> Schoffstall Associates SCHOFF-NB-149-001 (NET-149-1-0-0-2)
> 22.214.171.124 - 126.96.36.199
> I can't verify the dns name of 188.8.131.52 through nslookup but I found a
> reference somewhere else that 184.108.40.206 belongs to timesink.com which is
> supposedly a division of PSI.
> On Sat, 5 Apr 2003, Joe Hill wrote:
> > On Sat, 5 Apr 2003 17:18:11 -0600 (CST)
> > "Kenneth G. Arnold" <bkarnold at ...8060...> wrote:
> > > Within the last week I have noticed very strange activity for ICMP
> > > PING NMAP. It started with one user and now it has spread to several
> > > more. It has so far been restricted to users connecting through
> > > dial-in access to a modem pool. Shortly after the user connects, the
> > > machine starts sending ICMP PING NMAP to internet address 220.127.116.11 at
> > > the rate of 2 pings every 2-3 seconds. That comes out to about 3000
> > > per hour. I have seen totals go as high as 17,000 per day from one
> > > source when it is connected. The only reason it stops is that the
> > > person finally disconnects.
> > >
> > > I searched the internet for an explanation for this and the only thing
> > > I could find was that some freeware/shareware has code from
> > > timesink.com built into it that sends pings to this address and tcp
> > > data to other locations within its domain. Timesink.com makes spyware
> > > that sends information about the user's activity to the company
> > > through the tcp sessions. I have set up a rule to check for any
> > > activity from our domain to timesink.com and all I see is the ICMP
> > > PING NMAP activity. It seems unlikley that a company would have a
> > > product send it information at the rate that I am seeing. I would
> > > expect to see tcp sessions also and I don't see any. I have searched
> > > Symantec's site looking for a virus that would cause this but found
> > > nothing. Could this be a disgruntled person who is distributing a
> > > program that performs a distributed denial of service attack against
> > > timesink.com? I have tried pinging 18.104.22.168 myself and it doesn't
> > > appear to be answering pings.
> > >
> > > Has anyone else encountered this situation in your logs? Does anyone
> > > know what is going on?
> > >
> > could it be some form of "keepalive" app that the users are using, to
> > keep their connection from timing out? One question, if more than one
> > user is connected to the modem pool, are the probes *all* coming from
> > the same IP?!
> > Got this with dig:
> > ; <<>> DiG 9.2.1 <<>> 22.214.171.124
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26439
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> > ;; QUESTION SECTION:
> > ;126.96.36.199. IN A
> > ;; AUTHORITY SECTION:
> > . 86400 IN SOA A.ROOT-SERVERS.NET.
> > NSTLD.VERISIGN-GRS.COM. 2003040501 1800 900 604800 86400
> > ;; Query time: 103 msec
> > ;; SERVER: 192.168.0.1#53(192.168.0.1)
> > ;; WHEN: Sat Apr 5 19:42:08 2003
> > ;; MSG SIZE rcvd: 102
> > as for what all that means...
> > > Ken
> This SF.net email is sponsored by: ValueWeb:
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
> No other company gives more support or power for your dedicated server
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users