No subject


Thu Nov 23 16:36:19 EST 2017


"tsadbot.exe".  From looking around for a few minutes it looks like the
program comes with some/one of the versions of pkZip.

http://archives.neohapsis.com/archives/sf/ms/2000-q3/0148.html

Link to a giac pratctical with a detect on this.

http://www.giac.org/practical/Robert_Hunt.doc

~Jeff

----- Original Message -----
From: "Kenneth G. Arnold" <bkarnold at ...8060...>
To: <snort-users at lists.sourceforge.net>
Sent: Saturday, April 05, 2003 8:25 PM
Subject: Re: [Snort-users] ICMP PING NMAP to 149.1.1.1


> We don't have a timeout option that would log them out with no activity
> for a certain period of time so there would be no reason to have such an
> app for us.  It is possible that they may have it installed for AOL and it
> is always running.  It seems excessive to ping twice every 2-3 seconds for
> such an application, however. Every modem connection generates a separate
> IP address but I have traced this to at least three different users.
>
> arin.net shows
> PSI PSINET-B-1 (NET-149-1-0-0-1)
>                                   149.1.0.0 - 149.1.255.255
> Schoffstall Associates SCHOFF-NB-149-001 (NET-149-1-0-0-2)
>                                   149.1.0.0 - 149.1.255.255
>
>
> I can't verify the dns name of 149.1.1.1 through nslookup but I found a
> reference somewhere else that 149.1.1.1 belongs to timesink.com which is
> supposedly a division of PSI.
>
> Ken
>
> On Sat, 5 Apr 2003, Joe Hill wrote:
>
> > On Sat, 5 Apr 2003 17:18:11 -0600 (CST)
> > "Kenneth G. Arnold" <bkarnold at ...8060...> wrote:
> >
> > > Within the last week I have noticed very strange activity for ICMP
> > > PING NMAP.  It started with one user and now it has spread to several
> > > more. It has so far been restricted to users connecting through
> > > dial-in access to a modem pool.  Shortly after the user connects, the
> > > machine starts sending ICMP PING NMAP to internet address 149.1.1.1 at
> > > the rate of 2 pings every 2-3 seconds. That comes out to about 3000
> > > per hour. I have seen totals go as high as 17,000 per day from one
> > > source when it is connected.  The only reason it stops is that the
> > > person finally disconnects.
> > >
> > > I searched the internet for an explanation for this and the only thing
> > > I could find was that some freeware/shareware has code from
> > > timesink.com built into it that sends pings to this address and tcp
> > > data to other locations within its domain.  Timesink.com makes spyware
> > > that sends information about the user's activity to the company
> > > through the tcp sessions.  I have set up a rule to check for any
> > > activity from our domain to timesink.com and all I see is the ICMP
> > > PING NMAP activity.  It seems unlikley that a company would have a
> > > product send it information at the rate that I am seeing.  I would
> > > expect to see tcp sessions also and I don't see any.  I have searched
> > > Symantec's site looking for a virus that would cause this but found
> > > nothing.  Could this be a disgruntled person who is distributing a
> > > program that performs a distributed denial of service attack against
> > > timesink.com? I have tried pinging 149.1.1.1 myself and it doesn't
> > > appear to be answering pings.
> > >
> > > Has anyone else encountered this situation in your logs? Does anyone
> > > know what is going on?
> > >
> >
> > could it be some form of "keepalive" app that the users are using, to
> > keep their connection from timing out? One question, if more than one
> > user is connected to the modem pool, are the probes *all* coming from
> > the same IP?!
> >
> > Got this with dig:
> >
> > ; <<>> DiG 9.2.1 <<>> 149.1.1.1
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26439
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;149.1.1.1.                     IN      A
> >
> > ;; AUTHORITY SECTION:
> > .                       86400   IN      SOA     A.ROOT-SERVERS.NET.
> > NSTLD.VERISIGN-GRS.COM. 2003040501 1800 900 604800 86400
> >
> > ;; Query time: 103 msec
> > ;; SERVER: 192.168.0.1#53(192.168.0.1)
> > ;; WHEN: Sat Apr  5 19:42:08 2003
> > ;; MSG SIZE  rcvd: 102
> >
> > as for what all that means...
> >
> > > Ken
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb:
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list