I recently noticed in httpd-access.log these entries 200.140.XXX.XXX - - [03/Sep/2002:16:42:28 +0000] "GET /b.cgi?money&333596165&7503274E2F69 HTTP/1.1" 404 277 "-" "Mozilla" 62.98.XXX.XXX - - [03/Sep/2002:17:19:47 +0000] "GET /b.cgi?money&332156089&538030224B00 HTTP/1.1" 404 277 "-" "Mozilla" I searched info about b.cgi on google and it sais it's a worm that tries to connect to a few listed sites, get some encrypted commands and execute them on the virused host. But why would he connect to my site ? (I even noticed such entries on my home dial-up system). I suspect it's some worm/scanner (like codered 'n stuff) but what vulnerability could someone find in b.cgi ? Does anybody know something about this ? BTW. I traced the IP to brazil... home of the script kidie groups... could it be some of their ./haxor-script -scan_the_internet stuff ? -- ------------------- Proud member of PentaGuard "Making the net a safer place since 1998" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 10:14:21 PDT