Gnutella Forums  

Go Back   Gnutella Forums > Current Gnutella Client Forums > GnucDNA Based Clients > Gnucleus (Windows)
Register FAQ The Twelve Commandments Members List Calendar Arcade Find the Best VPN Today's Posts

Gnucleus (Windows) For assistance for users with the Gnucleus program. Important links: Updated Gnucleus 2.2.0.0 Installer! and also Updated Connection Caches for Gnucleus!


Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old May 20th, 2002
Apprentice
 
Join Date: May 20th, 2002
Posts: 7
cloudwatcher is flying high
Question Gnutella Virus At Work?

OK, this has probably been covered already, but I missed it, so I'd appreciate a little help

I'm using Gnucleus. Whenever I do a search, I always get two results that exactly match the search criteria I've entered. One is a .URL (Windows Internet Shortcut) file that is alwasy 115K in size and one is an .MPG file that is always (I believe) 28K in size. Occasionally I'll get a third hit for something like "free passcodes for X" where X is the search criteria I've entered.

Since I often use shorthand for searches, the fact that these "hits" are being generated in response to my query is obvious. F'rinstance, if I'm searching for a song (let's say "She Blinded me With Science" by Thomas Dolby) and I put in "Dolby Blinded Science", along with all the hits for the "Thomas Dolby - She Blinded Me With Science.mp3", I'll get hits for "Dolby Blinded Science.url" and "Dolby Blinded Science.mpg".

I've never downloaded one of these files, since I assume something unpleasant is up. But I'm afraid that one day I'll accidentally grab one from a long list of hits. Those lists DO jump around when you're trying to click on them :-P

So I really have three questions:
1. What is generating these fake hits? Is it some kind of Gnutella virus?

2. Why do the .URL files continue to show up even though I've blocked .URL files in Gnucleus using the Search filter?

3. These files always seem to come from the same IP. Why do they continue to appear after I've denied that IP using the connect filter?

Reply With Quote
  #2 (permalink)  
Old May 21st, 2002
Unregistered
Guest
 
Posts: n/a
Default

http://www.gnutellaforums.com/showth...threadid=11503

hmm..i think i sucessfully blocked those 2 ips...either they are being blocked or i'm connected where search results don't hit those 2 hosts..
Reply With Quote
  #3 (permalink)  
Old May 26th, 2002
sanelson's Avatar
Gnutella Jewel
 
Join Date: May 25th, 2002
Posts: 97
sanelson is flying high
Default Porn

I downloaded one of these once just to see what the hell it was. BTW, there's also an MP3 file like this too. The .url file is just a link. Same thing that your Favorites use in IE. It's a link to a porn site. The MP3 and the movie will both open up a different page (I guess so they can keep track of where their hits are coming from) on the same Porn site if you open them in Windows Media Player. It's not really a virus, just a very deceptive way for these people to get people to come to their site.
Reply With Quote
  #4 (permalink)  
Old May 30th, 2002
Apprentice
 
Join Date: May 20th, 2002
Posts: 7
cloudwatcher is flying high
Default

Ooohhh...OK - so it's not a Gnutella virus - it's Gnutella SPAM!

A porn merchant using sleazy tactics. Who would have thought?
Reply With Quote
  #5 (permalink)  
Old May 30th, 2002
ursula's Avatar
Cleaning Lady
 
Join Date: May 17th, 2002
Location: koyaanisqatsi
Posts: 2,334
ursula is a great assister to others; your light through the dark tunnel
Default

Quote:
Originally posted by cloudwatcher
Ooohhh...OK - so it's not a Gnutella virus - it's Gnutella SPAM!

A porn merchant using sleazy tactics. Who would have thought?
In fact, it is not Gnutella anything.
It is an individual or company who happen to be "sharing" this garbage on the Gnutella Network. They also happen to be sharing this same garbage on WinMX and eDonkey, as well.

So, please don't think of these things as of the Gnutella Network.
Reply With Quote
  #6 (permalink)  
Old May 30th, 2002
Member
 
Join Date: March 10th, 2001
Location: Freiburg / D
Posts: 81
chr_rossi is flying high
Default Gnutella spammer

It seems to be always the same spammer, at least in my part of gnutella net, and I have checked and compared often, at least 50 times in two months.

The IP-Adress is always 194.213.194.37, as far as I can see, which resolves to:

inetnum: 194.213.194.0-194.213.194.63
netname: GTS-CZ-HOSTING2-PPAHA
descr:Server Hosting(Praha) GTS Czech a.s.,
possibly a dial-up.

I am not sure if it would be helpful or effective in any way to complain at his isp (above).

I wonder how many spammers are out there...

Greetings
Reply With Quote
  #7 (permalink)  
Old June 15th, 2002
mgk mgk is offline
Novicius
 
Join Date: June 15th, 2002
Location: uk
Posts: 4
mgk is flying high
Default

hi

i had exactly the same thing on morpheus(which i have forcibly removed!) i thought i was going mad every search query i had there was always 3 types if file one an mp3,one a rar file and one an exe file from this ip address 66.250.52.45.

glad to know what it was
Reply With Quote
  #8 (permalink)  
Old June 19th, 2002
Apprentice
 
Join Date: May 20th, 2002
Posts: 7
cloudwatcher is flying high
Unhappy It IS Gnutella now

Quote:
Originally posted by ursula
In fact, it is not Gnutella anything.
It is an individual or company who happen to be "sharing" this garbage on the Gnutella Network. They also happen to be sharing this same garbage on WinMX and eDonkey, as well.

So, please don't think of these things as of the Gnutella Network.
I'm afraid I can't agree with you. These are not the result of normal sharing like you or I would do. It seems to be the result of someone purposely hacking the Gnutella network to disseminate their offal.

Since the hit you get is always EXACTLY the same as the search you entered, my guess is that they have constructed some kind of custom server software that uses the Gnutella protocol. For any query it receives, their application generates a positive hit by combining the query string and some other string like ".MPG" and ".URL". Then if someone takes the bait and goes to download the file, their server sends out one of its "payload" files using the constructed name.

None of the regular Gnutella clients could pull this off, and it's just not possible that these dolts are sharing files with names that correspond to EVERY possible search query.

As for the IP address of the spammer(s), there are now dozens of them. The latest update to Gnucleus has a list of them and it now supports blocking them! There are 44 IPs on the list so far. Some of them repsond with your search plus MPG and URL, some of them respond with "secret paysite passwords" plus your search, and there are other combinations as well.

It seems one or more versions of this custom software is now making the rounds among the lowlife scumsucking leeches of the net, being traded or sold in the fetid, stagnant pools of reeking filth where these creeps brew their sleazy marketing schemes.

Since Gnutella is an open source protocol, you get the good with the bad. Anyone can write a Gnutella client - but anyone can also abuse the protocol for their own ends. That's what these stinking orifices are doing. And now that they've crashed the party, they'll never leave. We'll just have to learn to ignore their offensive odor, the same as we've had to do with their spam in e-mail and their pop-up ads on the web.
Reply With Quote
  #9 (permalink)  
Old June 19th, 2002
ursula's Avatar
Cleaning Lady
 
Join Date: May 17th, 2002
Location: koyaanisqatsi
Posts: 2,334
ursula is a great assister to others; your light through the dark tunnel
Default

Hey, Cloudwatcher... (nice nick).......

Where exactly do we disagree?
I promise you that if we were talking about this subject in a private forum, my language would be a wee bit stronger than what I used in my above reply!

It IS some company pushing garbage with a really bad cheat that the majority will fall for.......

I find that I only get this [edit] if I do a search for some of the more rare things I am always looking for.
The thing seems to 'sense a degree of desperation' on the part of the searcher!!!!!! Geeeeeeeezzzz!!!!!

But.... BUT...... You are certainly affording far to great an ability, and a need for such ability, in regards to what we are really talking about...... Anybody can do it, right? I mean, it's just a link-file....... It's not the end of the world, right? No big anti-Gnutella Network conspiracy or anything remotely like it.... Just some more [edit]les trying to make a crude "buck" off the internet!

Never download any 28kb HTML files

Hey, I even edited my own post about these [edit]ers who do this [edit]!

Last edited by ursula; June 19th, 2002 at 03:29 PM.
Reply With Quote
  #10 (permalink)  
Old June 19th, 2002
Apprentice
 
Join Date: May 20th, 2002
Posts: 7
cloudwatcher is flying high
Default

Quote:
Where exactly do we disagree?
Well when I started this thread I thought I might be seeing evidence of Gnutella virus, but then when I found out what it really was, I called it a Gnutella spam. You said it's "not a Gnutella anything" and "please don't think of these things as of the Gnutella Network".

That's what I disagree with. This is a new kind of spam (or spam-like activity) that is ONLY spread via the Gnutella network and couldn't exist WITHOUT the Gnutella network.

Quote:
The thing seems to 'sense a degree of desperation' on the part of the searcher!!!!!!
Uhhh- I'm not sure where you're coming from with this one. I don't think your state of mind or the thing you're searching for really has much to do with it. I think the only thing that matters is whether one of these spambots is within your horizon when you do a search. If you're trying to say that it only kicks in when you do a porno search or something, well, I haven't found that to be the case. Why, I NEVER search for porn on Gnutella!

Quote:
It's not the end of the world, right? No big anti-Gnutella Network conspiracy or anything remotely like it...
Not a big conspiracy, but how about a lot of little ones... Wouldn't that have the same effect? When you think about it, the whole concept of Gnutella is largely based on trust and goodwill. And the cretins who run these spambots are violating that spirit. They're in the same league as the jokers who purposely mis-label their files, only worse since they're doing it to turn a buck instead of just to be ornery. They are liars, and liars bug me, just on principle.

Sure, the tools they are using are crude enough now, and their tricks are mostly easy to ignore. But they add "noise" to the network and make it just a little harder to use. And you know they're not going to stop with these crude tools - they'll get more sophisticated, and Gnutella will suffer as a result.

Remember when pop-up ads were only used by porno sites? Now they're used by everybody who runs ads on the web - and web surfing is exponentially more annoying. How long until the noise overwhelms the "signal" in the Gnutella network? How long until somebody else uses this same tactic in a more aggressive fashion?

What if you did a search that returned 100 identical hits, yet 35 of them were actually spam in disguise? You'd stand a pretty good chance of getting a spam instead of the file you really wanted. Eventually, you'd start to download as many copies of each file as your bandwidth could handle, just to make sure you had at least one good copy in amongst the bogus ones. Multiply that increase by the number of users on the network, and you've got a pretty big bandwidth hit.

Not to mention what a pain it would be sorting out the fakes from the real files. Suppose RIAA started balsting out thousands of files that contained the first 45 seconds of a song, then switched over to a recorded announcement about file sharing being stealing?

I dunno. I'm not gonna cry all night over this or anything, it just ticks me off.

BTW - glad you like the nick!
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
***Virus Searches and Downloads That Don't Work *** marchend Open Discussion topics 3 January 9th, 2006 10:10 AM
Gnutella W32.Alcra.B Virus/Trojan Migration erikinlongbeach General Gnutella / Gnutella Network Discussion 2 December 19th, 2005 02:20 PM
More virus found on Gnutella network shanojkk Download/Upload 0 October 16th, 2005 02:56 PM
Should Gnutella developers work on measures to achieve anonymity on Gnutella? Joakim Agren General Gnutella / Gnutella Network Discussion 23 August 27th, 2003 09:18 AM
Virus??? Please ALL Gnutella users check this!! klauspendolo General Gnutella / Gnutella Network Discussion 1 February 18th, 2003 10:12 AM


All times are GMT -7. The time now is 08:54 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.