very weird traffic

[<cass7 () shaw ca>]

Not sure if here, bugtraq, or somewhere else would have been the appropriate spot to post this, so chose here since I'm 
not sure if a virus, trojan etc is responsible.Not sure how to catagorize this one. 

Some very odd behaviour is occuring on a p2p program called, winmx. Normally I would pass it off and odd and forget 
about it.Please read before thinking I'm a quack ;)

If I search for "eyes wired shut" I will get up to 15,000 hits for this one title (madonna got 1597 hits this AM: 
britney spears got 4971: eyes wired shut got 11,458 hits) This file name is the most dramatic but there are similar 
results with other searches based on what they are reporting in their shared folder. 

There are about 30 names but the hash at the end of the name will be different, ie: user123_45678; user234_56897; 
user489_78546; user789_78956 etc. For example first 5 nicknames generated 100+ nicknames with different hashes only and 
over 1,000 files listed. 

Also the reported connection to winmx is different from hash to hash - could be anything from 13.3K to T3. As well as 
number of open slots will differ from name to name (136 of 136 available etc)

When the user is browsed for shared files the files shared are nearly the same. Also all are sharing on C:\Music

When you attempt to download a file from one of these users you will receive a "connection refused" message. If you try 
searching for another based on the files hash you might get one hit and you wont be able to download that either. 

When tcp view is run while trying to download one of these files the IP's are the same (one is a computer on a network 
I think - ending numbers are .19, .20 and .21). 6 IP's no matter which name you choose from the list of 18,000 listed 
titles. 

At the same time you have the same 30 nicknames trying to upload any files you have. Difference is 
1: they aren't sharing any files 
2:They always bypass the users queue 
3: the file always times out. The files they are trying to upload aren't specific to any file type but seems to be 
mostly small files, txt, jpg etc.

If I block the 6 IP's in my firewall I still get these same nicknames trying to upload from me. Blocking the whole IP 
range for each doesn't work either. Which leads me to the conclusion those 6 IP's aren't the only ones doing this. My 
feable attempts at getting the IP's from the uploaders has been unsuccessful. 

So essentially you have 6 IP's who have created 30 names with hundreds of ending hashes, generating over 10,000 hits 
for one file name. You have another unknown set of IP's with same names not sharing any files and attempting to upload. 
Odd and I don't know what to make of it.

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------