info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
anyone recognise the malware causing this please?
164 views
Skip to first unread message
Mike Scott
Jul 20, 2015, 1:48:55 PM7/20/15
to
Hi, my apache web server is moaning about one local client (my son's)
trying to access non-existent pages, in a pattern that looks as though
W*Ws malware is present there. My son claims to have done a full avast
scan with nothing showing up. and disclaims knowledge of anything
unusual on his machine.
His machine has also tried to access my internet modem/router; it
shouldn't even be aware of the existence of that, as he's on a separate
network arm from that router, tucked behind a freebsd router/server box.
It's happened twice today, same set of URLs being logged. My quick fix
is to pull the plug on him; but if anyone could recognise the URLs
involved, it might help a more sociable resolution :-)
They are (alpha order)
/cgi-bin/a2/out.cgi
/cgi-bin/ajaxmail
/cgi-bin/arr/index.shtml
/cgi-bin/at3/out.cgi
/cgi-bin/atc/out.cgi
/cgi-bin/atx/out.cgi
/cgi-bin/auth
/cgi-bin/bbs/postlist.pl
/cgi-bin/bbs/postshow.pl
/cgi-bin/bp_revision.cgi
/cgi-bin/br5.cgi
/cgi-bin/click.cgi
/cgi-bin/clicks.cgi
/cgi-bin/crtr/out.cgi
/cgi-bin/fg.cgi
/cgi-bin/findweather/getForecast
/cgi-bin/findweather/hdfForecast
/cgi-bin/frame_html
/cgi-bin/getattach
/cgi-bin/hotspotlogin.cgi
/cgi-bin/hslogin.cgi
/cgi-bin/ib/301_start.pl
/cgi-bin/index
/cgi-bin/index.cgi
/cgi-bin/krcgi
/cgi-bin/krcgistart
/cgi-bin/link
/cgi-bin/login
/cgi-bin/login.cgi
/cgi-bin/logout
/cgi-bin/mainmenu.cgi
/cgi-bin/mainsrch
/cgi-bin/msglist
/cgi-bin/navega
/cgi-bin/openwebmail/openwebmail-main.pl
/cgi-bin/out.cgi
/cgi-bin/passremind
/cgi-bin/rbaccess/rbcgi3m01
/cgi-bin/rbaccess/rbunxcgi
/cgi-bin/readmsg
/cgi-bin/rshop.pl
/cgi-bin/search.cgi
/cgi-bin/spcnweb
/cgi-bin/sse.dll
/cgi-bin/start
/cgi-bin/te/o.cgi
/cgi-bin/tjcgi1
/cgi-bin/top/out
/cgi-bin/traffic/process.fcgi
/cgi-bin/verify.cgi
/cgi-bin/webproc
/cgi-bin/webscr
/cgi-bin/wingame.pl
/das/cgi-bin/session.cgi
/fcgi-bin/dispatch.fcgi
/fcgi-bin/performance.fcgi
/redir/cgi-bin/ajaxmail
/rom-0
Thanks in advance for any pointers.
--
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex England
trying to access non-existent pages, in a pattern that looks as though
W*Ws malware is present there. My son claims to have done a full avast
scan with nothing showing up. and disclaims knowledge of anything
unusual on his machine.
His machine has also tried to access my internet modem/router; it
shouldn't even be aware of the existence of that, as he's on a separate
network arm from that router, tucked behind a freebsd router/server box.
It's happened twice today, same set of URLs being logged. My quick fix
is to pull the plug on him; but if anyone could recognise the URLs
involved, it might help a more sociable resolution :-)
They are (alpha order)
/cgi-bin/a2/out.cgi
/cgi-bin/ajaxmail
/cgi-bin/arr/index.shtml
/cgi-bin/at3/out.cgi
/cgi-bin/atc/out.cgi
/cgi-bin/atx/out.cgi
/cgi-bin/auth
/cgi-bin/bbs/postlist.pl
/cgi-bin/bbs/postshow.pl
/cgi-bin/bp_revision.cgi
/cgi-bin/br5.cgi
/cgi-bin/click.cgi
/cgi-bin/clicks.cgi
/cgi-bin/crtr/out.cgi
/cgi-bin/fg.cgi
/cgi-bin/findweather/getForecast
/cgi-bin/findweather/hdfForecast
/cgi-bin/frame_html
/cgi-bin/getattach
/cgi-bin/hotspotlogin.cgi
/cgi-bin/hslogin.cgi
/cgi-bin/ib/301_start.pl
/cgi-bin/index
/cgi-bin/index.cgi
/cgi-bin/krcgi
/cgi-bin/krcgistart
/cgi-bin/link
/cgi-bin/login
/cgi-bin/login.cgi
/cgi-bin/logout
/cgi-bin/mainmenu.cgi
/cgi-bin/mainsrch
/cgi-bin/msglist
/cgi-bin/navega
/cgi-bin/openwebmail/openwebmail-main.pl
/cgi-bin/out.cgi
/cgi-bin/passremind
/cgi-bin/rbaccess/rbcgi3m01
/cgi-bin/rbaccess/rbunxcgi
/cgi-bin/readmsg
/cgi-bin/rshop.pl
/cgi-bin/search.cgi
/cgi-bin/spcnweb
/cgi-bin/sse.dll
/cgi-bin/start
/cgi-bin/te/o.cgi
/cgi-bin/tjcgi1
/cgi-bin/top/out
/cgi-bin/traffic/process.fcgi
/cgi-bin/verify.cgi
/cgi-bin/webproc
/cgi-bin/webscr
/cgi-bin/wingame.pl
/das/cgi-bin/session.cgi
/fcgi-bin/dispatch.fcgi
/fcgi-bin/performance.fcgi
/redir/cgi-bin/ajaxmail
/rom-0
Thanks in advance for any pointers.
--
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex England
GlowingBlueMist
Jul 20, 2015, 9:31:39 PM7/20/15
to
(found at https://www.malwarebytes.org) and SuperAntiSpyware
(www.superantispyware.com) on his machine.
I never trust just one anti-virus program to catch everything that tries
to sneak in. I usually run both of them every couple of weeks just to
keep my regular anti-spyware in check.
Mike Scott
Jul 22, 2015, 3:47:57 AM7/22/15
to
On 21/07/15 02:31, GlowingBlueMist wrote:
> On 7/20/2015 12:48 PM, Mike Scott wrote:
>> Hi, my apache web server is moaning about one local client (my son's)
>> trying to access non-existent pages, in a pattern that looks as though
>> W*Ws malware is present there. My son claims to have done a full avast
>> scan with nothing showing up. and disclaims knowledge of anything
>> unusual on his machine.
.......
> On 7/20/2015 12:48 PM, Mike Scott wrote:
>> Hi, my apache web server is moaning about one local client (my son's)
>> trying to access non-existent pages, in a pattern that looks as though
>> W*Ws malware is present there. My son claims to have done a full avast
>> scan with nothing showing up. and disclaims knowledge of anything
>> unusual on his machine.
>> Thanks in advance for any pointers.
>>
>>
> I would have your son download and run the free versions of Malwarebytes
> (found at https://www.malwarebytes.org) and SuperAntiSpyware
> (www.superantispyware.com) on his machine.
>
> I never trust just one anti-virus program to catch everything that tries
> to sneak in. I usually run both of them every couple of weeks just to
> keep my regular anti-spyware in check.
Thanks for that. He has avast (claimed to be up-to-date) running, which
>>
>>
> I would have your son download and run the free versions of Malwarebytes
> (found at https://www.malwarebytes.org) and SuperAntiSpyware
> (www.superantispyware.com) on his machine.
>
> I never trust just one anti-virus program to catch everything that tries
> to sneak in. I usually run both of them every couple of weeks just to
> keep my regular anti-spyware in check.
has not detected anything. SuperAntiSpyware also found nothing when he
tried it. However Malwarebytes found something (he couldn't remember the
designation, just "pup something or other") and removed it.
It reminds we of why I moved to linux :-)
Incidentally, whatever this stuff was up to, it was causing additional
problems on my gateway firewall and server: particularly, freebsd's
firewall was logging entries about full state table (iirc), which seems
to have caused a raft of other faults.
Anyway, thanks for the info; I'll see whether things settle down now.
Ana
May 10, 2016, 10:09:57 AM5/10/16
to
Hi Mike Scott,
In my network, this problem was caused by Avast Antivirus. Look: http://nazarenolatella.myblog.it/tag/malware/ and https://blog.avast.com/2014/11/04/avast-2015-new-feature-home-network-security-scanning/
0 new messages