Hey you, program, Stop when closed!

[a_stupid_box]

I've been file sharing since before Napster. Before IMs. Before I knew anyone else with email, even. I consider myself "versed" in the ways of file transfers and the programs associated with accomplishing such tasks.

With this explained, I shall continue.

I came back from lunch today to find Sygate and Protowall all lit up. This was unusual, as I generally don't automate anything to connect to the internet.

I checked the logs and found that Shareaza had been sending packets for roughly 33 hours (time since last reboot). Thinking something was wrong, and not wanting to go to the dreadfully slow computer forums (like CC) I decided to mention this here and temporarily block Shareaza.

Now, prior to Shareaza I was using Bit Tornado, Overnet, and K++. I noticed the same thing would happen on occasion, but would go away after a bit. Considering that Shareaza has been closed for roughly five hours, this seems related-but-not-identical to what was happening previously.

Curiously, these packets don't seem to cause any type of lag. Can someone please explain what's going on and tell me whether to stab the panic button or not (hopefully not -- I've been able to hit 98% bandwidth usage with Shareaza).

[Jaded_Goth]

'Cos I'm an old fogie,and the very mention of file-sharing apps gives me the screaming ab-dabs,I'll start with the painfully obvious-spyware phonin' home,a special low-bandwidth worm replicating itself or pinging other computers...somesort of data-mining thing.
Shareaza is opensource-why not ditch this seemingly corrupted copy and install a fresh one.
Have you intercepted any of the packets for closer inspection?What does your sniffing device say?Where is Shareaza sending the data?To one address or hundreds?
My first move would be a virus and trojan scan at any rate.Could also be a smurf attack...

[Oddysey]

a_s_b;

As Meg Ryan would say "You got ICMP's".

Shareaza is announcing it's availability to others in the network with ICMP packets. Nothing dangerious in itself, but it does broadcast to others that you are wide open. Not to mention that you have been opened wide, by this somewhat deceitful proggie.

Your call as to how to handle the situation.


Oddysey

[a_stupid_box]

Jade;

Clean program, 100% A-okay american hotdog babe ruth. I ran roughly 13 virus/trojan/malware/pesterware scans, and even checked every single changed registry key and file via a handy little program that logs changes.

I've already reinstalled in fact, and the changes were identical. The traffic is spanning many, MANY IPs but is always using the same Shareaza port.

Odd;

I have no problem with that aside from the fact that it's doing it while the program is closed. Last I checked, when I terminate a process, it should... ummm... cease all activity. Also, I noticed a misprint in my original post; Shareaza's receiving packets -- not sending them.

Query: Could I be receiving _so_ much traffic that the logs are just "catching up"?

[Oddysey]

a_s_b;

Quote:I have no problem with that aside from the fact that it's doing it while the program is closed. Last I checked, when I terminate a process, it should... ummm... cease all activity. Also, I noticed a misprint in my original post; Shareaza's receiving packets -- not sending them.

Query: Could I be receiving _so_ much traffic that the logs are just "catching up"?

That puts a different complexion on things, yes indeedy.

But tell me, if Shareaza is completely shut down, how is it that the proggie is receiving packets? Or did you mean to say that your machine is receiving packets, not Shareaza? :P

At this point, I'm gonna make a WAG, and say that once Shareaza has started, it has alerted a network of other machines, who in turn have alerted others..... They are then attempting to contact your machine, to see if some particular file is stored there, and available for d/l. But I am only guessing here. To test that theory, I'd re-boot without Shareaza, and see what kind of activity I get. Make sure that nothing in the Shareaza universe (dll's, etc.) starts at bootup. That should either implicate Shareaza, or completely exonerate it. Booting without letting Shareaza run at all is probably the only way to tell if my guess is correct, or not.

As for your query about lagging loggings (Sorry, couldn't help it. <_<), I'd be concerned if your assertion were true - received packets were so numerous that the log file function couldn't keep up. That would be a lot of CPU time, I should think. Personally, I don't believe that's the case, but it does raise another, and more interesting, point. Whose log files are we talking about here - Shareaza's, or some other port monitoring package? If it's Shareaza's log file, and that proggie is allegedly closed down, then how is the log file being updated??? [unsure]


Oddysey

[Jaded_Goth]

Yeah,that'd be clever,Odd'.

There again,I found this skin at wincustomize that all Kazaa-like gear should come bundled with as standard:

http://www.wincustomize.com/window.asp?Cmd...oreupXPwbss.jpg

[a_stupid_box]

Quote:But tell me, if Shareaza is completely shut down, how is it that the proggie is receiving packets? Or did you mean to say that your machine is receiving packets, not Shareaza?

At this point, I'm gonna make a WAG, and say that once Shareaza has started, it has alerted a network of other machines, who in turn have alerted others..... They are then attempting to contact your machine, to see if some particular file is stored there, and available for d/l. But I am only guessing here. To test that theory, I'd re-boot without Shareaza, and see what kind of activity I get. Make sure that nothing in the Shareaza universe (dll's, etc.) starts at bootup. That should either implicate Shareaza, or completely exonerate it. Booting without letting Shareaza run at all is probably the only way to tell if my guess is correct, or not.

As for your query about lagging loggings (Sorry, couldn't help it. ), I'd be concerned if your assertion were true - received packets were so numerous that the log file function couldn't keep up. That would be a lot of CPU time, I should think. Personally, I don't believe that's the case, but it does raise another, and more interesting, point. Whose log files are we talking about here - Shareaza's, or some other port monitoring package? If it's Shareaza's log file, and that proggie is allegedly closed down, then how is the log file being updated???

I'm seeing that packets are being received by Shareaza.exe, after close, in Sygate Pro. After close, Sygate lists Shareaza as being active, even though I can't terminate the process. I can select to refuse Shareaza to have access, and all the packets appear blocked.

Upon restart, even after program is completely removed (all .dll's and registry entries included) I'm still seeing the packet traffic in Sygate, even though they're blocked as they're not directed at Shareaza.

The above is the same outcome of rebooting the system and not starting Shareaza. Without the program running, it seems Sygate won't allow the packets.

I've figured the overall traffic to be roughly 650 Kb/day, which isn't much on a 768 ADSL line. But this isn't a cencern of congestion, it's a concern of security.

I did some searching and found this thread on the Shareaza forums, but was/am too tired to read it entirely. It seems to be sharing my concern.

http://forums.shareaza.com/showthread.php?...ighlight=closed

[a_stupid_box]

Ummm... bad? The attached image is my Sygate security log (rather than attach the whole log, I made an image of the issue).

Shareaza is _really_ starting to worry me. I can't find anything about a false positive regarding NetMetro in regards to Sygate, and I can't find anything about NetMetro regarding Shareaza.

And I've stopped blocking Shareaza. I got a hankerin' to watch "Big Trouble in Little China" that couldn't be ignored.

My virus scans, Ad scans, Trojan scans, and hook scans all came back clean. Can anyone think of any possibilities as to what's going on?

[Oddysey]

a_s_b;

So, even when Shareaza is not running, Sygate still reports inbound packets destined for that proggie, eh? What's most likely happening is that once your IP addy became known on the Shareaza network, then any time someone else requests a file of some sort, your addy is consulted, and if it's not available at the moment, no problem - they just try back later. That's how the whole shebang works, trying to gain access over and over and over...... Your IP addy has probably been stored in hundreds of Shareaza machines - you may be in deep doo-doo, my friend.

But tell me, what happens when you try to access or search for a tune or movie with Shareaza? Does Sygate report lots of outbound packets, to many different IP addy's? If so, then you've got a list on your machine somewhere. And my guess about you being on a list forever is even more likely. Ouch. [angry]

Not much else I can offer just now, sorry.


Oddysey

[a_stupid_box]

When I search or download, I don't have a packet increase. Also, I have no list on my machine of other machines. At least, if I _do_ have a list, it's embedded within another file.

However, it does seem that once my IP is in the network it get passed around like a thai hooker. I'm getting traffic from addresses I never have before. My guess is that these new machines are getting my IP from other machines.

My next question is a fun one -- what do you suppose would happen if I were to uninstall the program, release my IP, and get a new one? Think it would have any effect?

[Oddysey]

a_s_b;

Quote:My next question is a fun one -- what do you suppose would happen if I were to uninstall the program, release my IP, and get a new one? Think it would have any effect?

The answer is easy - if you have a DHCP connection, then your IP addy changes every so often anyway. If you force the issue with a release/renew, then you might get the same addy, you might get a different one. But if it is different, then one thing's almost a sure bet. Whoever next gets your old addy, that poor sod is gonna be screamin' bloody murder! [lol]

If you have a static IP addy, then there's no release/renew option for you. Although, perhaps, you could at least ask your ISP, see what they could do for you in that regard. One never knows, does one? <_<

I about spewed all over my monitor when I saw your reference to the "women of lower standards" - that was priceless! [lol] Keep it up!


Oddysey

[a_stupid_box]

Odd;

Though I'm on ADSL (static), I tend to call my ISP once a month or so and ask for a new IP. All I do is tell them that my current one is invalid (164.0.0.0) and they let me renew it. Sometimes I even get a "trouble ticket" and get a free month of service.

I tend to actually get a bad IP about twice a year, when they're messing with the lines or their hardware. At this point, though, they're so used to it they might release me IP if I didn't even ask.

I feel almost bad for taking advantage of such a nice company -- they even send me chocolates at Christmas -- but it doesn't really cost them anything to pander to my paranoia and doing so has won them a loyal customer.

I do like the idea of someone else getting the IP and a whole bunch of traffic after I release it, though, and it wouldn't be the first time it happened

[Oddysey]

a_s_b;

Tha's interesting. I've had the same IP addy for almost two years now. It's time I picked up the phone, and see what comes of it. But somehow, I doubt I'll get any chocolate out of the deal. [angry]

Thanks for the idea. [lol]


Oddysey