A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.comp.home-networking (UK home networking)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.comp.home-networking (UK home networking) (uk.comp.home-networking) Discussion of all aspects of computer networking in the home, regardless of the platforms, software, topologies and protocols used. Examples of topics include recommendations for hardware or suppliers (e.g. NICs and cabling), protocols, servers, and specific network software. Advertising is not allowed.

anyone recognise the malware causing this please? (from July 2015-- resolved)



 
 
Thread Tools Display Modes
  #1  
Old March 15th 16, 11:17 AM posted to uk.comp.home-networking
Mike Scott[_2_]
external usenet poster
 
Posts: 6
Default anyone recognise the malware causing this please? (from July 2015-- resolved)

A problem understood.....

Middle of last year, I wrote:
Hi, my apache web server is moaning about one local client (my
son's) trying to access non-existent pages, in a pattern that looks
as though W*Ws malware is present there. My son claims to have done
a full avast scan with nothing showing up. and disclaims knowledge
of anything unusual on his machine.

His machine has also tried to access my internet modem/router; it
shouldn't even be aware of the existence of that, as he's on a
separate network arm from that router, tucked behind a freebsd
router/server box.

.....
They are (alpha order)

/cgi-bin/a2/out.cgi
/cgi-bin/ajaxmail
/cgi-bin/arr/index.shtml
/cgi-bin/at3/out.cgi
/cgi-bin/atc/out.cgi

(etc, etc)


I thought others might be interested in the cause. Which turns out to be
Avast's own software. They've quietly implemented something they call
Home Network Security(*), which involves testing the home router box for
various security issues. The only problem here being that the "router
box" is actually my gateway freebsd machine, which is secure enough to
moan about the probes -- although I do have to wonder why they've not
happened for the last 7 months or so!!!

On the face of it, a reasonable idea (except it's caused both of us a
lot of aggro chasing it down), but now malware can hide its probes
amongst avast's tests; not good. I suspect it's also illegal, at least
in the UK; not that anyone could ever take action.

Maybe I'll suggest he replace avast with something that doesn't do
this.... any suggestions for something better (and 0)?


For the interested, I dropped in a perl script to dump the environment
and cgi parameters when one of these was called. It popped up a log with
(in particular)

SCRIPT_NAME="/das/cgi-bin/session.cgi"
HTTP_USER_AGENT="() { ignored; }; echo Content-Type: text/html; echo ;
echo AVAST-HNS-SCAN-INFECTED ;"

So presumably testing for the bash vulnerability. What you're supposed
to do about it if it's found is anyone's guess.




(*)
https://blog.avast.com/2014/11/04/av...rity-scanning/


--
Mike Scott (unet2 at [deletethis] scottsonline.org.uk)
Harlow Essex England
  #2  
Old March 15th 16, 12:58 PM posted to uk.comp.home-networking
[email protected]
external usenet poster
 
Posts: 83
Default anyone recognise the malware causing this please? (from July 2015 -- resolved)

Mike Scott wrote:
A problem understood.....

Middle of last year, I wrote:
Hi, my apache web server is moaning about one local client (my
son's) trying to access non-existent pages, in a pattern that looks
as though W*Ws malware is present there. My son claims to have done
a full avast scan with nothing showing up. and disclaims knowledge
of anything unusual on his machine.

His machine has also tried to access my internet modem/router; it
shouldn't even be aware of the existence of that, as he's on a
separate network arm from that router, tucked behind a freebsd
router/server box.

....
They are (alpha order)

/cgi-bin/a2/out.cgi
/cgi-bin/ajaxmail
/cgi-bin/arr/index.shtml
/cgi-bin/at3/out.cgi
/cgi-bin/atc/out.cgi

(etc, etc)


I thought others might be interested in the cause. Which turns out to be
Avast's own software. They've quietly implemented something they call
Home Network Security(*), which involves testing the home router box for
various security issues. The only problem here being that the "router
box" is actually my gateway freebsd machine, which is secure enough to
moan about the probes -- although I do have to wonder why they've not
happened for the last 7 months or so!!!

On the face of it, a reasonable idea (except it's caused both of us a
lot of aggro chasing it down), but now malware can hide its probes
amongst avast's tests; not good. I suspect it's also illegal, at least
in the UK; not that anyone could ever take action.

Maybe I'll suggest he replace avast with something that doesn't do
this.... any suggestions for something better (and 0)?


For the interested, I dropped in a perl script to dump the environment
and cgi parameters when one of these was called. It popped up a log with
(in particular)

SCRIPT_NAME="/das/cgi-bin/session.cgi"
HTTP_USER_AGENT="() { ignored; }; echo Content-Type: text/html; echo ;
echo AVAST-HNS-SCAN-INFECTED ;"

So presumably testing for the bash vulnerability. What you're supposed
to do about it if it's found is anyone's guess.

Absolutely typical, the whole 'anti-virus' industry is a huge con as
far as I'm concerned.

When I (or my son, who is better at it) investigate slow MS Windows
systems it's nine times out of ten due to Norton or some other
'protection' software hogging the disk or CPU.

--
Chris Green

 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
anyone recognise the malware causing this please? Mike Scott[_2_] uk.comp.home-networking (UK home networking) 3 May 10th 16 04:09 PM
Sipgate resolved Woody uk.telecom.voip (UK VOIP) 2 April 29th 15 09:12 PM
2Mb Broadband Problem Nearly Resolved :/ Gareth :-\\\) voom uk.telecom.broadband (UK broadband) 4 July 22nd 05 02:39 AM
Pc takes ages to recognise modem Wanadoo John uk.telecom.broadband (UK broadband) 1 November 16th 04 01:50 AM
speedtouch 330 - XP won't recognise it Antony uk.telecom.broadband (UK broadband) 4 October 3rd 03 01:03 AM


All times are GMT +1. The time now is 11:52 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2017 BroadbanterBanter.
The comments are property of their posters.