|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: HalbaSus (halbasus_at_go.ro)
Date: Sun Sep 08 2002 - 10:33:59 CDT
I recently noticed in httpd-access.log these entries
200.140.XXX.XXX - - [03/Sep/2002:16:42:28 +0000] "GET
/b.cgi?money&333596165&7503274E2F69 HTTP/1.1" 404 277 "-" "Mozilla"
62.98.XXX.XXX - - [03/Sep/2002:17:19:47 +0000] "GET
/b.cgi?money&332156089&538030224B00 HTTP/1.1" 404 277 "-" "Mozilla"
I searched info about b.cgi on google and it sais it's a worm that tries to
connect to a few listed sites, get some encrypted commands and execute them
on the virused host.
But why would he connect to my site ? (I even noticed such entries on my home
dial-up system). I suspect it's some worm/scanner (like codered 'n stuff) but
what vulnerability could someone find in b.cgi ?
Does anybody know something about this ?
BTW. I traced the IP to brazil... home of the script kidie groups... could it
be some of their ./haxor-script -scan_the_internet stuff ?
-- ------------------- Proud member of PentaGuard "Making the net a safer place since 1998"---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]