Re: Rash of seemingly "old" virii

[Gary Flynn <flynngn () JMU EDU>]

Peter Charbonneau wrote:

> I am seeing some of our student computers (to the tune of 10-12
> machines) hitting various web servers, both inside and outside our
> campus, requesting:
>
> 137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "POST
> /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 - "-" "-"
> 137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "POST
> /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 - "-" "-"
> 137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "SEARCH
> /
> \x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0
> 4H\x04H\x04H\x04H\x04H\x04H\x04H\x04H .... [thousands of characters
> removed for sanity sake]
>
> In searching the web, I find that this SEEMS to be the FrontPage
> extension attack from 2-3 years ago.  I "got a hold" of a couple of
> student machines that were the xxx.yyy addresses.  So far, BOTH of
> these machines have AV protection running AND have updated def files.
> I have run various Spyware scans using all 17,000 of our favorite
> Spyware tools - nothing has come up (well, gator, but that is kinda
> expected) that clues me into what is going on.
>
> I am wondering whether any of you have seen anything like this, or
> potentially have an explanation.  I am just about at my wits end trying
> to counter/explain it.


Get a list of running processes and see if you can identify
a common one or stop the traffic by disabling suspect
processes.

If you get a suspect, submit it to virustotal:
http://www.virustotal.com/xhtml/index_en.html

and your friendly neighborhood AV vendor of choice.

My guess is that you've got yet another new
ago/sd/gao/whachamacallit BOT. I've run into two
in the past couple weeks alone.

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.