OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: HalbaSus (halbasus_at_go.ro)
Date: Tue Sep 10 2002 - 05:39:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Yes, I read about this virus too. BUT:

    These request apeared on 2 boxes. One is a cable hosted small mailserver (I'm
    pretty sure it's not compromised), while the second box is my home dial-up
    machine (I'm not even running apache all the time only when I do tests). Yet
    the two ip's belong to the same ISP they don't have similar ip's.

    The source IP's were different so was the time of the "attack"... Also, on my
    dial-up box I had 3 request (comming at intervals of about 40 minutes) But
    during this time my IP had changed (remember, dial-up dinamically alocated
    ips). That's why I suspect some sort of scanner like action.

    The other weird thing is that my dial-up box was "scanned" for b.cgi from 3
    different countries (Brazil, Italy and Malayesia) at intervals of 40 minutes
    (even if meanwhile I changed my IP).

    Te get request is pretty weird:

     GET /b.cgi?money&334671127&686C318B424C HTTP/1.1" 404 277 "-" "Mozilla

    It might be encrypted but it looks like a pretty simple encriptyon to me (yet
    I'm not a criptographer just guessing... )

    The fact that the & sign is repeated makes me believe that actually there are
    2 "encrypted" commands (if we're talking about the virus).

    Now, I believe it's obvious that this virus/worm/whatever is scanning for
    "b.cgi"... In the description of Frethem it says that it tries to connect to
    a number of predefined hosts... Is this some new version with an included
    scanner or something ?

    Oh, one more interesting thing... I use to get daily like 2-3 e-mails "Hi,
    your password" or "This is a good tool" etc... all of them trying to exploit
    IFRAME and human stupidity (I'm running FreeBSD and KMail so I don't think
    I'm infected or anything). BUT... I believe that other users from my ISP got
    the very same message so... is it possible for a "worm" to open a daemon
    sitting on 80 waiting for b.cgi inputs ? if it is... it's starting to make
    sense. Some dude got infected but since he is on dial-up too the other
    clients have to "scan" for it.

    Btw, I checked the source IP's... 2 of them seem to be dial-up's one is cable
    but was turned off... so they're probably home windows computers...
    (nimda/codered/apache-worm type worms excluded since they would only
    penetrate webservers)

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com