Re: (AUSCERT#c42e2) Re: odd traffic on port 80 from win 98 system - Frethem.K

From: Russell Fulton (r.fultonat_private)
Date: Sun Aug 04 2002 - 20:21:55 PDT

  • Next message: Anton A. Chuvakin: "Honeynet Scan of the Month for August released"

    This is a followup to my post on Friday about strange port 80 probes.
    On Mon, 2002-08-05 at 14:20, auscertat_private wrote:
    > Greetings Russell,
    > The lists seem to agree that Frethem is the culprit.  Our AusCERT Update
    > on Frethem doesn't discuss the activity you mentioned unfortunately.  We
    > decided to push something ASAP and link to AV vendors that do have more
    > info.
    yup, this has been confirmed by a full NAV sweep (its ID was
    Frethem.K).  Looks like the machine was infected before NAV had defs for
    this variant --  the user found that the NAV setting for scheduling
    automated scans had been disabled -- surprise!
    NAI and Trendmicro seem to be the only AV vendors to describe the port
    80 behaviour, the NAI reference *did* turn up in my initial google
    search for 'b.cgi' but I missed it because it was buried in amongst a
    whole lot of other pages which were all things where people were using
    a.cgi and b.cgi etc as example names.  Sigh...
    What is interesting is that the machine stopped scanning on its own at
    4:30 the next morning after what looks like a successful download (argus
    logs showd about 4KB downloaded, this may have been an elaborate 404 or
    may be something more).  I have tried to contact the site several times
    since but it isn't responding to port 80 now.  I'm trying to figure out
    what, if anything, it got (I've asked the owners to list all files
    modified around the crucial time but they can not find anything).
    Both NAI and Trend suggest that the web behaviour is linked to some
    affilate scheme where by the author will receive money from referals to
    a web site.  I don't see how this can work:  
    1/ Most of the IP addresses I tried resolving were in blocks allocated
    to cable or dsl ISPs.  
    2/ Most of the probes either timed out or received resets, about 1 in 50
    got a response.  
    3/Lastly there is no refer information in the request.
    My guess is that these machines are previously compromised systems and
    that this could be a way of distributing updates or backdoors through
    the network, or am I just being paranoid? 
    BTW I now have a snort rule to detect this activity -- I'll submit it to
    the snort-sigs list when I have done some more testing on the tcpdump
    file that I got when the machine was still probing.
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    "It ain't necessarily so"  - Gershwin
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 13:27:34 PDT