Re: CGI form access

[Todd Haverkos <infosec () haverkos com>]

Rod <securitybasics () gmail com> writes:

> Hello,
>
> I have a laptop I'm working on that is attempting to connect to a few
> IP addresses (see below) in Russia anytime Internet Explorer or
> Firefox is open. These IP addresses appear to be inactive at the
> moment. I've scanned the laptop with 3 different AV applications and
> malwarebytes. I've cleared the cookies and temporary Internet files.
> The laptop still attempts to connect to them. Does anyone have any
> ideas on what the infection might be and how to get rid of it?

Hi Rod, 

"What is it?" is the harder of the two questions.   Forensic
specialist of malware reverse engineers are the highly tuned skillsets
needed perhaps to say unless these look familiar to anyone as bot
command/control.   If you can isolate a sample of an executable and
upload it to virustotal.com maybe one of the 44 AV engines will ahve
some sort of hints for it.  

How to get rid of it, though is easy--the same as any malware: 

    a) you can't trust antivirus (you now have 1st hand experience why)
    b) you can't trust removal tools (as in a above)
    c) flatten and rebuild the OS from optical media

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------