A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.comp.home-networking (UK home networking)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.comp.home-networking (UK home networking) (uk.comp.home-networking) Discussion of all aspects of computer networking in the home, regardless of the platforms, software, topologies and protocols used. Examples of topics include recommendations for hardware or suppliers (e.g. NICs and cabling), protocols, servers, and specific network software. Advertising is not allowed.

anyone recognise the malware causing this please?



 
 
Thread Tools Display Modes
  #1  
Old July 20th 15, 06:48 PM posted to uk.comp.home-networking
Mike Scott[_2_]
external usenet poster
 
Posts: 6
Default anyone recognise the malware causing this please?

Hi, my apache web server is moaning about one local client (my son's)
trying to access non-existent pages, in a pattern that looks as though
W*Ws malware is present there. My son claims to have done a full avast
scan with nothing showing up. and disclaims knowledge of anything
unusual on his machine.

His machine has also tried to access my internet modem/router; it
shouldn't even be aware of the existence of that, as he's on a separate
network arm from that router, tucked behind a freebsd router/server box.

It's happened twice today, same set of URLs being logged. My quick fix
is to pull the plug on him; but if anyone could recognise the URLs
involved, it might help a more sociable resolution :-)

They are (alpha order)

/cgi-bin/a2/out.cgi
/cgi-bin/ajaxmail
/cgi-bin/arr/index.shtml
/cgi-bin/at3/out.cgi
/cgi-bin/atc/out.cgi
/cgi-bin/atx/out.cgi
/cgi-bin/auth
/cgi-bin/bbs/postlist.pl
/cgi-bin/bbs/postshow.pl
/cgi-bin/bp_revision.cgi
/cgi-bin/br5.cgi
/cgi-bin/click.cgi
/cgi-bin/clicks.cgi
/cgi-bin/crtr/out.cgi
/cgi-bin/fg.cgi
/cgi-bin/findweather/getForecast
/cgi-bin/findweather/hdfForecast
/cgi-bin/frame_html
/cgi-bin/getattach
/cgi-bin/hotspotlogin.cgi
/cgi-bin/hslogin.cgi
/cgi-bin/ib/301_start.pl
/cgi-bin/index
/cgi-bin/index.cgi
/cgi-bin/krcgi
/cgi-bin/krcgistart
/cgi-bin/link
/cgi-bin/login
/cgi-bin/login.cgi
/cgi-bin/logout
/cgi-bin/mainmenu.cgi
/cgi-bin/mainsrch
/cgi-bin/msglist
/cgi-bin/navega
/cgi-bin/openwebmail/openwebmail-main.pl
/cgi-bin/out.cgi
/cgi-bin/passremind
/cgi-bin/rbaccess/rbcgi3m01
/cgi-bin/rbaccess/rbunxcgi
/cgi-bin/readmsg
/cgi-bin/rshop.pl
/cgi-bin/search.cgi
/cgi-bin/spcnweb
/cgi-bin/sse.dll
/cgi-bin/start
/cgi-bin/te/o.cgi
/cgi-bin/tjcgi1
/cgi-bin/top/out
/cgi-bin/traffic/process.fcgi
/cgi-bin/verify.cgi
/cgi-bin/webproc
/cgi-bin/webscr
/cgi-bin/wingame.pl
/das/cgi-bin/session.cgi
/fcgi-bin/dispatch.fcgi
/fcgi-bin/performance.fcgi
/redir/cgi-bin/ajaxmail
/rom-0


Thanks in advance for any pointers.


--
Mike Scott (unet2 at [deletethis] scottsonline.org.uk)
Harlow Essex England
  #2  
Old July 21st 15, 02:31 AM posted to uk.comp.home-networking
GlowingBlueMist[_2_]
external usenet poster
 
Posts: 2
Default anyone recognise the malware causing this please?

On 7/20/2015 12:48 PM, Mike Scott wrote:
Hi, my apache web server is moaning about one local client (my son's)
trying to access non-existent pages, in a pattern that looks as though
W*Ws malware is present there. My son claims to have done a full avast
scan with nothing showing up. and disclaims knowledge of anything
unusual on his machine.

His machine has also tried to access my internet modem/router; it
shouldn't even be aware of the existence of that, as he's on a separate
network arm from that router, tucked behind a freebsd router/server box.

It's happened twice today, same set of URLs being logged. My quick fix
is to pull the plug on him; but if anyone could recognise the URLs
involved, it might help a more sociable resolution :-)

They are (alpha order)

/cgi-bin/a2/out.cgi
/cgi-bin/ajaxmail
/cgi-bin/arr/index.shtml
/cgi-bin/at3/out.cgi
/cgi-bin/atc/out.cgi
/cgi-bin/atx/out.cgi
/cgi-bin/auth
/cgi-bin/bbs/postlist.pl
/cgi-bin/bbs/postshow.pl
/cgi-bin/bp_revision.cgi
/cgi-bin/br5.cgi
/cgi-bin/click.cgi
/cgi-bin/clicks.cgi
/cgi-bin/crtr/out.cgi
/cgi-bin/fg.cgi
/cgi-bin/findweather/getForecast
/cgi-bin/findweather/hdfForecast
/cgi-bin/frame_html
/cgi-bin/getattach
/cgi-bin/hotspotlogin.cgi
/cgi-bin/hslogin.cgi
/cgi-bin/ib/301_start.pl
/cgi-bin/index
/cgi-bin/index.cgi
/cgi-bin/krcgi
/cgi-bin/krcgistart
/cgi-bin/link
/cgi-bin/login
/cgi-bin/login.cgi
/cgi-bin/logout
/cgi-bin/mainmenu.cgi
/cgi-bin/mainsrch
/cgi-bin/msglist
/cgi-bin/navega
/cgi-bin/openwebmail/openwebmail-main.pl
/cgi-bin/out.cgi
/cgi-bin/passremind
/cgi-bin/rbaccess/rbcgi3m01
/cgi-bin/rbaccess/rbunxcgi
/cgi-bin/readmsg
/cgi-bin/rshop.pl
/cgi-bin/search.cgi
/cgi-bin/spcnweb
/cgi-bin/sse.dll
/cgi-bin/start
/cgi-bin/te/o.cgi
/cgi-bin/tjcgi1
/cgi-bin/top/out
/cgi-bin/traffic/process.fcgi
/cgi-bin/verify.cgi
/cgi-bin/webproc
/cgi-bin/webscr
/cgi-bin/wingame.pl
/das/cgi-bin/session.cgi
/fcgi-bin/dispatch.fcgi
/fcgi-bin/performance.fcgi
/redir/cgi-bin/ajaxmail
/rom-0


Thanks in advance for any pointers.


I would have your son download and run the free versions of Malwarebytes
(found at https://www.malwarebytes.org) and SuperAntiSpyware
(www.superantispyware.com) on his machine.

I never trust just one anti-virus program to catch everything that tries
to sneak in. I usually run both of them every couple of weeks just to
keep my regular anti-spyware in check.
  #3  
Old July 22nd 15, 08:47 AM posted to uk.comp.home-networking
Mike Scott[_2_]
external usenet poster
 
Posts: 6
Default anyone recognise the malware causing this please?

On 21/07/15 02:31, GlowingBlueMist wrote:
On 7/20/2015 12:48 PM, Mike Scott wrote:
Hi, my apache web server is moaning about one local client (my son's)
trying to access non-existent pages, in a pattern that looks as though
W*Ws malware is present there. My son claims to have done a full avast
scan with nothing showing up. and disclaims knowledge of anything
unusual on his machine.

........
Thanks in advance for any pointers.


I would have your son download and run the free versions of Malwarebytes
(found at https://www.malwarebytes.org) and SuperAntiSpyware
(www.superantispyware.com) on his machine.

I never trust just one anti-virus program to catch everything that tries
to sneak in. I usually run both of them every couple of weeks just to
keep my regular anti-spyware in check.


Thanks for that. He has avast (claimed to be up-to-date) running, which
has not detected anything. SuperAntiSpyware also found nothing when he
tried it. However Malwarebytes found something (he couldn't remember the
designation, just "pup something or other") and removed it.

It reminds we of why I moved to linux :-)

Incidentally, whatever this stuff was up to, it was causing additional
problems on my gateway firewall and server: particularly, freebsd's
firewall was logging entries about full state table (iirc), which seems
to have caused a raft of other faults.

Anyway, thanks for the info; I'll see whether things settle down now.


--
Mike Scott (unet2 at [deletethis] scottsonline.org.uk)
Harlow Essex England
  #4  
Old May 10th 16, 03:09 PM posted to uk.comp.home-networking
Ana
external usenet poster
 
Posts: 1
Default anyone recognise the malware causing this please?

Em segunda-feira, 20 de julho de 2015 14:48:55 UTC-3, Mike Scott escreveu:
Hi, my apache web server is moaning about one local client (my son's)
trying to access non-existent pages, in a pattern that looks as though
W*Ws malware is present there. My son claims to have done a full avast
scan with nothing showing up. and disclaims knowledge of anything
unusual on his machine.

His machine has also tried to access my internet modem/router; it
shouldn't even be aware of the existence of that, as he's on a separate
network arm from that router, tucked behind a freebsd router/server box.

It's happened twice today, same set of URLs being logged. My quick fix
is to pull the plug on him; but if anyone could recognise the URLs
involved, it might help a more sociable resolution :-)

They are (alpha order)

/cgi-bin/a2/out.cgi
/cgi-bin/ajaxmail
/cgi-bin/arr/index.shtml
/cgi-bin/at3/out.cgi
/cgi-bin/atc/out.cgi
/cgi-bin/atx/out.cgi
/cgi-bin/auth
/cgi-bin/bbs/postlist.pl
/cgi-bin/bbs/postshow.pl
/cgi-bin/bp_revision.cgi
/cgi-bin/br5.cgi
/cgi-bin/click.cgi
/cgi-bin/clicks.cgi
/cgi-bin/crtr/out.cgi
/cgi-bin/fg.cgi
/cgi-bin/findweather/getForecast
/cgi-bin/findweather/hdfForecast
/cgi-bin/frame_html
/cgi-bin/getattach
/cgi-bin/hotspotlogin.cgi
/cgi-bin/hslogin.cgi
/cgi-bin/ib/301_start.pl
/cgi-bin/index
/cgi-bin/index.cgi
/cgi-bin/krcgi
/cgi-bin/krcgistart
/cgi-bin/link
/cgi-bin/login
/cgi-bin/login.cgi
/cgi-bin/logout
/cgi-bin/mainmenu.cgi
/cgi-bin/mainsrch
/cgi-bin/msglist
/cgi-bin/navega
/cgi-bin/openwebmail/openwebmail-main.pl
/cgi-bin/out.cgi
/cgi-bin/passremind
/cgi-bin/rbaccess/rbcgi3m01
/cgi-bin/rbaccess/rbunxcgi
/cgi-bin/readmsg
/cgi-bin/rshop.pl
/cgi-bin/search.cgi
/cgi-bin/spcnweb
/cgi-bin/sse.dll
/cgi-bin/start
/cgi-bin/te/o.cgi
/cgi-bin/tjcgi1
/cgi-bin/top/out
/cgi-bin/traffic/process.fcgi
/cgi-bin/verify.cgi
/cgi-bin/webproc
/cgi-bin/webscr
/cgi-bin/wingame.pl
/das/cgi-bin/session.cgi
/fcgi-bin/dispatch.fcgi
/fcgi-bin/performance.fcgi
/redir/cgi-bin/ajaxmail
/rom-0


Thanks in advance for any pointers.


--
Mike Scott (unet2 at [deletethis] scottsonline.org.uk)
Harlow Essex England


================================================== ======================


Hi Mike Scott,

In my network, this problem was caused by Avast Antivirus. Look: http://nazarenolatella.myblog.it/tag/malware/ and https://blog.avast.com/2014/11/04/av...rity-scanning/

 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Belkin adapter problem after malware elimination Josh Reece uk.comp.home-networking (UK home networking) 2 July 24th 09 10:19 PM
Skype: High CPU Usage: No Malware [email protected] uk.telecom.voip (UK VOIP) 0 November 4th 06 08:01 PM
"Modular malware to avoid detection " tarzan uk.telecom.broadband (UK broadband) 0 September 20th 05 05:52 PM
Pc takes ages to recognise modem Wanadoo John uk.telecom.broadband (UK broadband) 1 November 16th 04 12:50 AM
speedtouch 330 - XP won't recognise it Antony uk.telecom.broadband (UK broadband) 4 October 3rd 03 12:03 AM


All times are GMT +1. The time now is 05:30 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2017 BroadbanterBanter.
The comments are property of their posters.