Security Incidents mailing list archives

Re: ZOMBIES_HTTP_GET

From: Patrick Oonk <patrick () pine nl>
Date: Mon, 24 Jun 2002 09:42:22 +0200

On Sun, Jun 23, 2002 at 12:45:16PM -0400, Kee Hinckley wrote:

Does anyone know what this is about?

80.14.144.19 - - [17/Jun/2002:17:40:42 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET"
80.14.144.19 - - [17/Jun/2002:17:41:16 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET"
67.218.5.187 - - [17/Jun/2002:18:04:11 -0400] "GET /infector.exe HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET"
67.218.5.187 - - [17/Jun/2002:18:04:32 -0400] "GET /infector.exe HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET"
80.14.144.19 - - [17/Jun/2002:18:23:38 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET"
80.14.144.19 - - [17/Jun/2002:18:24:54 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET"
195.131.106.186 - - [17/Jun/2002:18:25:12 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET"
195.131.106.186 - - [17/Jun/2002:18:28:42 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET"


As the above ip-addresses are all dialup or cable, it looks like yet
another trojan.

-- 
 patrick oonk - pine internet - patrick () pine nl - www.pine.nl/~patrick
 T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl 
 PGPid A4E74BBF  fp A7CF 7611 E8C4 7B79 CA36  0BFD 2CB4 7283 A4E7 4BBF
 Note: my NEW PGP key is available at http://www.pine.nl/~patrick/
 Excuse of the day: root rot

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

ZOMBIES_HTTP_GET Kee Hinckley (Jun 23)
- Re: ZOMBIES_HTTP_GET Patrick Oonk (Jun 25)