This is a followup to my post on Friday about strange port 80 probes. On Mon, 2002-08-05 at 14:20, auscertat_private wrote: > > Greetings Russell, > > The lists seem to agree that Frethem is the culprit. Our AusCERT Update > on Frethem doesn't discuss the activity you mentioned unfortunately. We > decided to push something ASAP and link to AV vendors that do have more > info. yup, this has been confirmed by a full NAV sweep (its ID was Frethem.K). Looks like the machine was infected before NAV had defs for this variant -- the user found that the NAV setting for scheduling automated scans had been disabled -- surprise! NAI and Trendmicro seem to be the only AV vendors to describe the port 80 behaviour, the NAI reference *did* turn up in my initial google search for 'b.cgi' but I missed it because it was buried in amongst a whole lot of other pages which were all things where people were using a.cgi and b.cgi etc as example names. Sigh... What is interesting is that the machine stopped scanning on its own at 4:30 the next morning after what looks like a successful download (argus logs showd about 4KB downloaded, this may have been an elaborate 404 or may be something more). I have tried to contact the site several times since but it isn't responding to port 80 now. I'm trying to figure out what, if anything, it got (I've asked the owners to list all files modified around the crucial time but they can not find anything). Both NAI and Trend suggest that the web behaviour is linked to some affilate scheme where by the author will receive money from referals to a web site. I don't see how this can work: 1/ Most of the IP addresses I tried resolving were in blocks allocated to cable or dsl ISPs. 2/ Most of the probes either timed out or received resets, about 1 in 50 got a response. 3/Lastly there is no refer information in the request. My guess is that these machines are previously compromised systems and that this could be a way of distributing updates or backdoors through the network, or am I just being paranoid? BTW I now have a snort rule to detect this activity -- I'll submit it to the snort-sigs list when I have done some more testing on the tcpdump file that I got when the machine was still probing. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It ain't necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 13:27:34 PDT