Qualys Inc <researchat_private> wrote: <<snip>> > The backdoor process of Remote Shell Trojan also issues an HTTP GET > request to port 80 on the host 212.15.64.41 (orinoco.portland.co.uk). > This host does not appear to return any meaningful results upon > such a request. Is it just a simple GET requesting that sites homepage?? I note that the page returned from that site includes this: <FORM ACTION="http://www.portland.co.uk/cgi-bin/formmail.pl"... and wondered if it may be one of the vulnerable formmails that can be used for arbitrary Emailing. This would be a simple way to obfuscate (at the Trojan-compromised site's end) an Email-based "phone home" scheme... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 09 2001 - 14:19:53 PDT