Yo Guys,

Have you noticed that sometimes when you put out a query for a file, you get hits that seems to be constructed on-the-fly. Usually with several popular extension. Like if you search for "qwerty", you would get qwerty.asf, qwerty.zip, qwerty.exe and so on.

If you run them, they will open your browser on some xxx-sites and sometimes put xxx-links on your desktop.

The server identifies itself as Gnut, meaning that it could be heavily customized. The files are mostly small (<1Mbytes) and the speed is high. Downloads are never qued.

The source is allways 66.250.52.45, which translates to the following...
-------------------------------------------------------
Search results for: 66.250.52.45

[edited]
------------------------------------------------------------------------

I find all this a bit weird, since Cogent is known as a serious ISP with no connection to the xxx-business. In fact, I cant ever imagine them wanting to be associated with the shadier side of the internet. Also as a supplier of bandwidth, they should have no motive to sabotaging the P2P community.

So what is going on here? Anybody out there have a clue?

Jowls

I have seen this on older gnutella clients. I think most of the time now you can filter the results. I've noticed that generally the files are extremely small. What I assume these are are people trying to install some type of trojan on your system or some kind of paid porn service. Generally you can filter out results smaller than 1mb and it should get rid of those.

I hope you scanned those files with a good virus and trojan checker app.
I have seen those files and never been curious to know what they are, because it is obvious they are not what they purport to be.

who ever is creating those files is most likely masking their whereabouts. What hackers usually do is break into a coporate or some institutions computers and then send their crap out to the net.

so did you scan those files?

maybe you should report it, it's obvious abuse of the isp and owners computer.

some trojans are very hard to get rid of, they are simply small applications that allow the hacker to view your files and even control your computer. some of these trojans actually bond or become part of another key component of your system, like your kernel and it is a real hassle.

If you're using shareaza, you can use its built in security feature to block them. I get them all the time, then i downloaded the security update that they have made on the forums, and i never got those files again in my searches.

Shareaza Security Update (http://www.shareaza.com/forum/viewthread.aspx?ID=621&Page=1)

Its the porno spammers.. Almost every major current gnutella program uses the ban list which blocks these spammers.. Which i think gnucleus was the one who compiled them..

hmmm. does anyone know about this company cogent?
well, i was running a gnutella client, i wont say which but i noticed something weird, i got blank files from a range of ip addresses consistent with a internet bandwidth company called cogent. however, i notice that the ip addresses of cogent, were consecutive.

i even did a whois about them, and they were selling 100 mbs of internet bandwidth for 100 bucks.
now, i am wondering can we trust this company cogent?
now, i remember the company cogent, as when i was downloading a big file from a gnutella client, it became blank.
so i am wondering if they are going to block the cogent ip addresses from gnutella, or can we trust this company.

i am just saying, that the fact is, i picked up a whole subset of ip addresses from cogent, and they surely were giving out blank files, now i didnt say anything about it, but now i gotta wonder can we trust this company cogent?

matter of fact the file was blank, so they should update the blocked ip addresses, to avoid, fake files from cogent*, i am not targeting them, but now that i think about it, i am not the only one noticing this problem, so someone should address it, *gnutella developers thats whom*

thats all
rtw*

Rickio: Yep, sure I scanned them - with virus-scanner and ad-aware - and came up with nothing. All you need to do is simply delete the thing plus the links it might have generated, and all is gone.

I also looked at a few selected ones in a HEX'editor. They are very nifty constructed, in a way so that for instance the ones with a video-extension actually contais some video-code...

Those guys are pros, and even though the current files arent malicious in any way, this might be just a "test-drive" of a technique that could get really dangerous for the P2P community. .

That why I am curious. "Know thine enemy" and all that stuff..... :cross


Jowls

Yeah, there are definately some very smart and either evil or misguided people messing with surfers on the net.
I have disabled scripting on my browsers as that apparently is one way hackers mess with folks puters.
I am sure you are probably aware of that, you seem to be a knowledgeable person.

this is about as interesting as it seems, especially the other part, where a file is fake. to speak blatantly and truthfully, what does one say for this? 2 can play that game. however, hashing plays a good role in this, to avoid fake files.
so keeping in mind, all this.
danger* = silence, combine together is getting rid of a necessary evil, and in this case, they are riaa, and mpaa, and there power hungry selves.


a big round of applause 4 hashing.
rtw

I thought they were those people that riaa hired to get people to download that stuff

glad you brought this up, Jowls. I'd seen these things as well, and the .ASF files contain a fear-mongering "someone is watching you" message, followed by porn site popups. The popups seem to be coming from a site in the Czech republic. I didn't make the Cogent connection, nice work on that, Jowls. I think what you're seeing here is just a smart Czech porn site operator using Gnutella as a traffic builder. What's interesting is the technique of synthesizing query hits, I'm nervous about what'll happen when real c0cksuckers like Overpeer, XBMC or Media Defender get hold of this idea.

editttttttt