Yes, I read about this virus too. BUT:

These request apeared on 2 boxes. One is a cable hosted small mailserver (I'm
pretty sure it's not compromised), while the second box is my home dial-up
machine (I'm not even running apache all the time only when I do tests). Yet
the two ip's belong to the same ISP they don't have similar ip's.

The source IP's were different so was the time of the "attack"... Also, on my
dial-up box I had 3 request (comming at intervals of about 40 minutes) But
during this time my IP had changed (remember, dial-up dinamically alocated
ips). That's why I suspect some sort of scanner like action.

The other weird thing is that my dial-up box was "scanned" for b.cgi from 3
different countries (Brazil, Italy and Malayesia) at intervals of 40 minutes
(even if meanwhile I changed my IP).

Te get request is pretty weird:

 GET /b.cgi?money&334671127&686C318B424C HTTP/1.1" 404 277 "-" "Mozilla

It might be encrypted but it looks like a pretty simple encriptyon to me (yet
I'm not a criptographer just guessing... )

The fact that the & sign is repeated makes me believe that actually there are
2 "encrypted" commands (if we're talking about the virus).

Now, I believe it's obvious that this virus/worm/whatever is scanning for
"b.cgi"... In the description of Frethem it says that it tries to connect to
a number of predefined hosts... Is this some new version with an included
scanner or something ?

Oh, one more interesting thing... I use to get daily like 2-3 e-mails "Hi,
your password" or "This is a good tool" etc... all of them trying to exploit
IFRAME and human stupidity (I'm running FreeBSD and KMail so I don't think
I'm infected or anything). BUT... I believe that other users from my ISP got
the very same message so... is it possible for a "worm" to open a daemon
sitting on 80 waiting for b.cgi inputs ? if it is... it's starting to make
sense. Some dude got infected but since he is on dial-up too the other
clients have to "scan" for it.

Btw, I checked the source IP's... 2 of them seem to be dial-up's one is cable
but was turned off... so they're probably home windows computers...
(nimda/codered/apache-worm type worms excluded since they would only
penetrate webservers)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]