Security Incidents mailing list archives
FYI: EverAdSv.exe / PlayJ http traffic frenzy
From: Adam Kujawski <adamkuj () GATORDOG COM>
Date: Tue, 13 Feb 2001 19:08:58 -0500
Today I noticed a very large number of failed HTTP requests originating from a Windows NT workstation on my network. There were no web browsers open. My first thought was that the workstations was being used in a DOS attack. Here is an overview of the traffic: len= 24 TCP from xxx.xxx.xxx.xxx.3960 to 216.74.130.30.80 seq 5F5342B0, ack 0x0, win 8192, SYN len= 28 TCP from 216.74.130.30.80 to xxx.xxx.xxx.xxx.3960 seq 7F3241C6, ack 0x5F5342B1, win 8760, SYN ACK len= 20 TCP from xxx.xxx.xxx.xxx.3960 to 216.74.130.30.80 seq 5F5342B1, ack 0x7F3241C7, win 8760, ACK len= 20 TCP from xxx.xxx.xxx.xxx.3960 to 216.74.130.30.80 seq 5F5342B1, ack 0x7F3241C7, win 8760, FIN ACK len= 20 TCP from 216.74.130.30.80 to xxx.xxx.xxx.xxx.3960 seq 7F3241C7, ack 0x5F5342B2, win 0, RST len= 20 TCP from 216.74.130.30.80 to xxx.xxx.xxx.xxx.3960 seq 7F3241C7, ack 0x5F5342B2, win 0, ACK len= 20 TCP from xxx.xxx.xxx.xxx.3960 to 216.74.130.30.80 seq 5F5342B2, ack 0x5F5342B2, win 0, RST There were several of these exchanges per second - about 7KB/sec worth, and it had been going on four about 5 hours. It turns out that the traffic was being generated by the program EverAdSv.exe called by the registry at startup. The program was installed as a part of PlayJ (www.playj.com), a free multimedia/music player that is supported by banner adds. Even though the PlayJ program was not being used, the banner add client was running. Further, it appears that the banner add webserver had died and was not fullfilling requests (I could sucessfully telnet to port 80 of 216.74.130.30, but not issue any commands). Rather than retrying after a specified time, the EverAdSv.exe client immediatly issued more HTTP requests. The client was probably overwhelming their web servers. Anyways, you may want to keep an eye out for this problem and keep the PlayJ program off of your network. -Adam Kujawski
Current thread:
- FYI: EverAdSv.exe / PlayJ http traffic frenzy Adam Kujawski (Feb 13)