Yes, I read about this virus too. BUT: These request apeared on 2 boxes. One is a cable hosted small mailserver (I'm pretty sure it's not compromised), while the second box is my home dial-up machine (I'm not even running apache all the time only when I do tests). Yet the two ip's belong to the same ISP they don't have similar ip's. The source IP's were different so was the time of the "attack"... Also, on my dial-up box I had 3 request (comming at intervals of about 40 minutes) But during this time my IP had changed (remember, dial-up dinamically alocated ips). That's why I suspect some sort of scanner like action. The other weird thing is that my dial-up box was "scanned" for b.cgi from 3 different countries (Brazil, Italy and Malayesia) at intervals of 40 minutes (even if meanwhile I changed my IP). Te get request is pretty weird: GET /b.cgi?money&334671127&686C318B424C HTTP/1.1" 404 277 "-" "Mozilla It might be encrypted but it looks like a pretty simple encriptyon to me (yet I'm not a criptographer just guessing... ) The fact that the & sign is repeated makes me believe that actually there are 2 "encrypted" commands (if we're talking about the virus). Now, I believe it's obvious that this virus/worm/whatever is scanning for "b.cgi"... In the description of Frethem it says that it tries to connect to a number of predefined hosts... Is this some new version with an included scanner or something ? Oh, one more interesting thing... I use to get daily like 2-3 e-mails "Hi, your password" or "This is a good tool" etc... all of them trying to exploit IFRAME and human stupidity (I'm running FreeBSD and KMail so I don't think I'm infected or anything). BUT... I believe that other users from my ISP got the very same message so... is it possible for a "worm" to open a daemon sitting on 80 waiting for b.cgi inputs ? if it is... it's starting to make sense. Some dude got infected but since he is on dial-up too the other clients have to "scan" for it. Btw, I checked the source IP's... 2 of them seem to be dial-up's one is cable but was turned off... so they're probably home windows computers... (nimda/codered/apache-worm type worms excluded since they would only penetrate webservers) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 10 2002 - 08:55:36 PDT