[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

weird b.cgi

I recently noticed in httpd-access.log these entries

200.140.XXX.XXX - - [03/Sep/2002:16:42:28 +0000] "GET 
/b.cgi?money&333596165&7503274E2F69 HTTP/1.1" 404 277 "-" "Mozilla"
62.98.XXX.XXX - - [03/Sep/2002:17:19:47 +0000] "GET 
/b.cgi?money&332156089&538030224B00 HTTP/1.1" 404 277 "-" "Mozilla"

I searched info about b.cgi on google and it sais it's a worm that tries to 
connect to a few listed sites, get some encrypted commands and execute them 
on the virused host. 

But why would he connect to my site ? (I even noticed such entries on my home 
dial-up system). I suspect it's some worm/scanner (like codered 'n stuff) but 
what vulnerability could someone find in b.cgi ?

Does anybody know something about this ? 
BTW. I traced the IP to brazil... home of the script kidie groups... could it 
be some of their ./haxor-script -scan_the_internet stuff ?

Proud member of PentaGuard
"Making the net a safer place since 1998"

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com