Re: weird b.cgi

[HalbaSus <halbasus () go ro>]

Yes, I read about this virus too. BUT:

These request apeared on 2 boxes. One is a cable hosted small mailserver (I'm 
pretty sure it's not compromised), while the second box is my home dial-up 
machine (I'm not even running apache all the time only when I do tests). Yet 
the two ip's belong to the same ISP they don't have similar ip's. 

The source IP's were different so was the time of the "attack"... Also, on my 
dial-up box I had 3 request (comming at intervals of about 40 minutes) But 
during this time my IP had changed (remember, dial-up dinamically alocated 
ips). That's why I suspect some sort of scanner like action. 

The other weird thing is that my dial-up box was "scanned" for b.cgi from 3 
different countries (Brazil, Italy and Malayesia) at intervals of 40 minutes 
(even if meanwhile I changed my IP).

Te get request is pretty weird:

 GET /b.cgi?money&334671127&686C318B424C HTTP/1.1" 404 277 "-" "Mozilla

It might be encrypted but it looks like a pretty simple encriptyon to me (yet 
I'm not a criptographer just guessing... )

The fact that the & sign is repeated makes me believe that actually there are 
2 "encrypted" commands (if we're talking about the virus). 

Now, I believe it's obvious that this virus/worm/whatever is scanning for 
"b.cgi"... In the description of Frethem it says that it tries to connect to 
a number of predefined hosts... Is this some new version with an included 
scanner or something ?

Oh, one more interesting thing... I use to get daily like 2-3 e-mails "Hi, 
your password" or "This is a good tool" etc... all of them trying to exploit 
IFRAME and human stupidity (I'm running FreeBSD and KMail so I don't think 
I'm infected or anything). BUT... I believe that other users from my ISP got 
the very same message so... is it possible for a "worm" to open a daemon 
sitting on 80 waiting for b.cgi inputs ? if it is... it's starting to make 
sense. Some dude got infected but since he is on dial-up too the other 
clients have to "scan" for it.

Btw, I checked the source IP's... 2 of them seem to be dial-up's one is cable 
but was turned off... so they're probably home windows computers... 
(nimda/codered/apache-worm type worms excluded since they would only 
penetrate webservers)



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com