info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
re: anyone recognise the malware causing this please? (from July 2015 -- resolved)
51 views
Skip to first unread message
Mike Scott
Mar 15, 2016, 6:17:28 AM3/15/16
to
A problem understood.....
Middle of last year, I wrote:
>> Hi, my apache web server is moaning about one local client (my
>> son's) trying to access non-existent pages, in a pattern that looks
>> as though W*Ws malware is present there. My son claims to have done
>> a full avast scan with nothing showing up. and disclaims knowledge
>> of anything unusual on his machine.
>>
>> His machine has also tried to access my internet modem/router; it
>> shouldn't even be aware of the existence of that, as he's on a
>> separate network arm from that router, tucked behind a freebsd
>> router/server box.
....
>> They are (alpha order)
>>
>> /cgi-bin/a2/out.cgi
>> /cgi-bin/ajaxmail
>> /cgi-bin/arr/index.shtml
>> /cgi-bin/at3/out.cgi
>> /cgi-bin/atc/out.cgi
(etc, etc)
I thought others might be interested in the cause. Which turns out to be
Avast's own software. They've quietly implemented something they call
Home Network Security(*), which involves testing the home router box for
various security issues. The only problem here being that the "router
box" is actually my gateway freebsd machine, which is secure enough to
moan about the probes -- although I do have to wonder why they've not
happened for the last 7 months or so!!!
On the face of it, a reasonable idea (except it's caused both of us a
lot of aggro chasing it down), but now malware can hide its probes
amongst avast's tests; not good. I suspect it's also illegal, at least
in the UK; not that anyone could ever take action.
Maybe I'll suggest he replace avast with something that doesn't do
this.... any suggestions for something better (and £0)?
For the interested, I dropped in a perl script to dump the environment
and cgi parameters when one of these was called. It popped up a log with
(in particular)
SCRIPT_NAME="/das/cgi-bin/session.cgi"
HTTP_USER_AGENT="() { ignored; }; echo Content-Type: text/html; echo ;
echo AVAST-HNS-SCAN-INFECTED ;"
So presumably testing for the bash vulnerability. What you're supposed
to do about it if it's found is anyone's guess.
(*)
https://blog.avast.com/2014/11/04/avast-2015-new-feature-home-network-security-scanning/
--
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex England
Middle of last year, I wrote:
>> Hi, my apache web server is moaning about one local client (my
>> son's) trying to access non-existent pages, in a pattern that looks
>> as though W*Ws malware is present there. My son claims to have done
>> a full avast scan with nothing showing up. and disclaims knowledge
>> of anything unusual on his machine.
>>
>> His machine has also tried to access my internet modem/router; it
>> shouldn't even be aware of the existence of that, as he's on a
>> separate network arm from that router, tucked behind a freebsd
>> router/server box.
....
>> They are (alpha order)
>>
>> /cgi-bin/a2/out.cgi
>> /cgi-bin/ajaxmail
>> /cgi-bin/arr/index.shtml
>> /cgi-bin/at3/out.cgi
>> /cgi-bin/atc/out.cgi
(etc, etc)
I thought others might be interested in the cause. Which turns out to be
Avast's own software. They've quietly implemented something they call
Home Network Security(*), which involves testing the home router box for
various security issues. The only problem here being that the "router
box" is actually my gateway freebsd machine, which is secure enough to
moan about the probes -- although I do have to wonder why they've not
happened for the last 7 months or so!!!
On the face of it, a reasonable idea (except it's caused both of us a
lot of aggro chasing it down), but now malware can hide its probes
amongst avast's tests; not good. I suspect it's also illegal, at least
in the UK; not that anyone could ever take action.
Maybe I'll suggest he replace avast with something that doesn't do
this.... any suggestions for something better (and £0)?
For the interested, I dropped in a perl script to dump the environment
and cgi parameters when one of these was called. It popped up a log with
(in particular)
SCRIPT_NAME="/das/cgi-bin/session.cgi"
HTTP_USER_AGENT="() { ignored; }; echo Content-Type: text/html; echo ;
echo AVAST-HNS-SCAN-INFECTED ;"
So presumably testing for the bash vulnerability. What you're supposed
to do about it if it's found is anyone's guess.
(*)
https://blog.avast.com/2014/11/04/avast-2015-new-feature-home-network-security-scanning/
--
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex England
c...@isbd.net
Mar 15, 2016, 8:03:03 AM3/15/16
to
far as I'm concerned.
When I (or my son, who is better at it) investigate slow MS Windows
systems it's nine times out of ten due to Norton or some other
'protection' software hogging the disk or CPU.
--
Chris Green
·
0 new messages