This isn't a complaint but just a warning. Please forward to gnutters esp. in the UK.

After using gnut on Linux I had a check of network activity using netstat (I'm a bit paranoid about P2P). I got a lot of this sort of thing:

tcp 1 0 modem-39.kole-tang:2550 212.69.222.50:www CLOSE_WAIT tcp 1 0 modem-39.kole-tang:2550 212.69.222.50:www CLOSE_WAIT tcp 1 0 modem-39.kole-tang:2550 212.69.222.50:www CLOSE_WAIT tcp 1 0 modem-39.kole-tang:2550 212.69.222.50:www CLOSE_WAIT tcp 0 348 modem-39.kole-tang:2695 212.69.222.50:www ESTABLISHED tcp 1 0 modem-39.kole-tang:2550 212.69.222.50:www CLOSE_WAIT tcp 0 361 modem-39.kole-tang:2698 212.69.222.50:www ESTABLISHED tcp 0 357 modem-39.kole-tang:2697 212.69.222.50:www ESTABLISHED tcp 0 0 modem-39.kole-tang:2696 212.69.222.50:www ESTABLISHED

which looks like a hack (I'm not sure).

http://212.69.222.50 turned out to host a homepage for some sort of private investigation company (Midland Administration Service, 6 Somers Road, Rugby, CV22 7DE) which is rather fishy!

Next I had a look with gnut using:

gnut> find 212.69.222.50
Searching the gnutella network for: 212.69.222.50
Press any key to continue
2 responses received.
Current query is '212.69.222.50'
All responses:
1)212.69.222.50.exe
130.214.55.236:99 size:8.00K ref: 0 speed: 512
2)212.69.222.50.exe
192.168.1.10:99 size:8.00K ref: 0 speed: 512

I would advise against downloading and running this!


------------------

Looks like that servant wanted to down load a file you had set up for sharing.

On your serch for the IP address( which won't connect you to that host, if thats what you want add it to your connects list) you got exact matchs with the .exe THIS IS A KNOWN WORM. Read :
http://www.securityportal.com/pr/pr.20010228200811.html

[This message has been edited by lightstone (edited 03-29-2001).]

When I was looking at netstat I had closed gnut, and I hadn't been sharing anything. I am not infected with the Mandragore Worm as I haven't downloaded or run any EXEs and if I had they wouldn't have done anything as I run Linux.

Certainly that EXE looks like the worm. Perhaps I was just seeing an attempt to contact the worm, which wasn't there. I need to learn to read the netstat output.

------------------


[This message has been edited by Colin Wills (edited 03-30-2001).]

[This message has been edited by Colin Wills (edited 03-30-2001).]

Ok, I think you had been on the network and that 'Posts" your IP as a good Host and somebody was trying to establish an "Inbound" connection.

You are right about the worm, the search was telling you what it had found and those host are infected.

"Just because you are paranoid doesn't mean they arn't after you!"

I've downloaded snort (http://www.snort.org/) - just in case.