Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3

From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 07/10/04

Next message: Tim Greer: "Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)"

Previous message: Thor Larholm: "Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3"
In reply to: Humes, David G.: "Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3"
Next in thread: Andy: "Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 09 Jul 2004 22:28:04 -0500
To: "Humes, David  G." <David.Humes@jhuapl.edu>, incidents@securityfocus.com

--On Friday, July 9, 2004 3:01 PM -0400 "Humes, David G."
<David.Humes@jhuapl.edu> wrote:

> Starting around July 8th we noticed workstations trying to access
> 67.109.249.3 on port 80 and do a
>
> GET /download/IEService215.chm HTTP/1.1
>
> Analysis of the users' browsing activity did not reveal any pattern that
> would suggest that the activity was user-initiated. We suspect that this
> is something trying to "phone home", but not sure quite what. A reverse
> lookup of the IP just returns 67.109.249.3.ptr.us.xo.net, and whois just
> tells me that it belongs to XO. Has anyone else seen this and know what
> it is?
>
In general, you can assume that machines downloading *.chm files have been
compromised. I downloaded the file, and used archmage to decompile it, but
I don't see anything malicious looking in it. However, it could be part of
a complex system of file downloads that allows the attackers to control the
machines. I would *not* leave them on the network *unless* you can block
that IP at your edge, and I would definitely start poking around for files
and processes that don't belong on those machines *if* you have the time.

Otherwise I would reimage them.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Next message: Tim Greer: "Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)"

Previous message: Thor Larholm: "Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3"
In reply to: Humes, David G.: "Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3"
Next in thread: Andy: "Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [SLE] SMART Downloaded package locations.
... When I run smart update on the various machines I find my self ... downloading the same packages multiple times. ... I don't believe you can point the packages to another folder without changing ...
(SuSE)
Re: ActiveTcl unbundling
... updating one existing package to a new version needs a separate ... machines - who wants, as an admin, to log into 1100 Windows machines ... list as downloading to get what used to be Activetcl - it is the ...
(comp.lang.tcl)
Re: Maintaining a local yum repository
... The result - when yum ran on the rest of the machines, ... downloading everything 5 times.. ... Helluva lot better that rsyncing the entire repo - 'cause you ... and then use that to either make a local repository, or just copy it to the /var/cache/yum directories on my other machines. ...
(Fedora)
Re: XP repair install on new MB (retry post)
... 266MB installer to do all 3 machines in one go instead of each machine ... downloading the 110MB worth of updates it personally required. ... I must admit though I have seen no benefit to SP2 so far. ...
(microsoft.public.windowsxp.hardware)