anyone recognise the malware causing this please?

Discussion in 'Home Networking' started by Mike Scott, Jul 20, 2015.

  1. Mike Scott

    Mike Scott Guest

    Hi, my apache web server is moaning about one local client (my son's)
    trying to access non-existent pages, in a pattern that looks as though
    W*Ws malware is present there. My son claims to have done a full avast
    scan with nothing showing up. and disclaims knowledge of anything
    unusual on his machine.

    His machine has also tried to access my internet modem/router; it
    shouldn't even be aware of the existence of that, as he's on a separate
    network arm from that router, tucked behind a freebsd router/server box.

    It's happened twice today, same set of URLs being logged. My quick fix
    is to pull the plug on him; but if anyone could recognise the URLs
    involved, it might help a more sociable resolution :)

    They are (alpha order)

    /cgi-bin/a2/out.cgi
    /cgi-bin/ajaxmail
    /cgi-bin/arr/index.shtml
    /cgi-bin/at3/out.cgi
    /cgi-bin/atc/out.cgi
    /cgi-bin/atx/out.cgi
    /cgi-bin/auth
    /cgi-bin/bbs/postlist.pl
    /cgi-bin/bbs/postshow.pl
    /cgi-bin/bp_revision.cgi
    /cgi-bin/br5.cgi
    /cgi-bin/click.cgi
    /cgi-bin/clicks.cgi
    /cgi-bin/crtr/out.cgi
    /cgi-bin/fg.cgi
    /cgi-bin/findweather/getForecast
    /cgi-bin/findweather/hdfForecast
    /cgi-bin/frame_html
    /cgi-bin/getattach
    /cgi-bin/hotspotlogin.cgi
    /cgi-bin/hslogin.cgi
    /cgi-bin/ib/301_start.pl
    /cgi-bin/index
    /cgi-bin/index.cgi
    /cgi-bin/krcgi
    /cgi-bin/krcgistart
    /cgi-bin/link
    /cgi-bin/login
    /cgi-bin/login.cgi
    /cgi-bin/logout
    /cgi-bin/mainmenu.cgi
    /cgi-bin/mainsrch
    /cgi-bin/msglist
    /cgi-bin/navega
    /cgi-bin/openwebmail/openwebmail-main.pl
    /cgi-bin/out.cgi
    /cgi-bin/passremind
    /cgi-bin/rbaccess/rbcgi3m01
    /cgi-bin/rbaccess/rbunxcgi
    /cgi-bin/readmsg
    /cgi-bin/rshop.pl
    /cgi-bin/search.cgi
    /cgi-bin/spcnweb
    /cgi-bin/sse.dll
    /cgi-bin/start
    /cgi-bin/te/o.cgi
    /cgi-bin/tjcgi1
    /cgi-bin/top/out
    /cgi-bin/traffic/process.fcgi
    /cgi-bin/verify.cgi
    /cgi-bin/webproc
    /cgi-bin/webscr
    /cgi-bin/wingame.pl
    /das/cgi-bin/session.cgi
    /fcgi-bin/dispatch.fcgi
    /fcgi-bin/performance.fcgi
    /redir/cgi-bin/ajaxmail
    /rom-0


    Thanks in advance for any pointers.
     
    Mike Scott, Jul 20, 2015
    #1
    1. Advertisements

  2. I would have your son download and run the free versions of Malwarebytes
    (found at https://www.malwarebytes.org) and SuperAntiSpyware
    (www.superantispyware.com) on his machine.

    I never trust just one anti-virus program to catch everything that tries
    to sneak in. I usually run both of them every couple of weeks just to
    keep my regular anti-spyware in check.
     
    GlowingBlueMist, Jul 21, 2015
    #2
    1. Advertisements

  3. Mike Scott

    Mike Scott Guest

    Thanks for that. He has avast (claimed to be up-to-date) running, which
    has not detected anything. SuperAntiSpyware also found nothing when he
    tried it. However Malwarebytes found something (he couldn't remember the
    designation, just "pup something or other") and removed it.

    It reminds we of why I moved to linux :)

    Incidentally, whatever this stuff was up to, it was causing additional
    problems on my gateway firewall and server: particularly, freebsd's
    firewall was logging entries about full state table (iirc), which seems
    to have caused a raft of other faults.

    Anyway, thanks for the info; I'll see whether things settle down now.
     
    Mike Scott, Jul 22, 2015
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.