Re: \xe7y~REg9\xe0\xe0%\xc9\x02 in HTTPd log

["Salvatore Poliandro" <jello () vanished net>]

"O"
From: "Mike Johanning" <tr4nc3 () cox net>
Subject: \xe7y~REg9\xe0\xe0%\xc9\x02 in HTTPd log

I've been getting lines like this in my Apache server logs..

67.120.110.74 - - [27/Jul/2003:00:11:17 -0700] "\xe7y~REg9\xe0\xe0%\xc9
\x02" 200 3352
----------------------------------------------------------------------------

I have a Private Web server running NetReg on our wireless side of things, I
started seeing these as well. Here are the requests in question and
surrounding traffic:

10.10.2.250 - - [28/Jul/2003:19:35:22 -0400]
"\x01\x85\xfe\t\x05\x95\x13\x17\x043\x05)" 400 -
10.10.2.250 - - [28/Jul/2003:19:37:35 -0400] "\x88rR\xf5|g-9v\xe3\xc2\xa5"
501 -
10.10.2.250 - - [28/Jul/2003:19:38:46 -0400]
"S\"_f\xb3\x83M\xf0\x12\x02\x02H" 501 -
10.10.2.250 - - [28/Jul/2003:19:39:16 -0400]
"u\x8d6\xff\x99\xb5\xc3\xd4n\xec\xa3*" 501 -
10.10.2.250 - - [28/Jul/2003:19:39:37 -0400] "\v\xfa]\xc6\xfb\xd3
\x0f\x12\xc1\x1b)" 400 379
10.10.2.250 - - [28/Jul/2003:19:39:47 -0400] "\x13n%" 501 -
10.10.2.250 - - [28/Jul/2003:19:41:29 -0400]
"\xfcz\x89R\x10\x87\xdd\xf6\x80R\xa8 " 501 -
10.10.2.250 - - [28/Jul/2003:19:41:49 -0400]
"\x0fQ\x98.\xffT,\x8e\xb9\xff\xd8Y" 501 -
10.10.2.250 - - [28/Jul/2003:19:42:20 -0400]
"\xb42\x88\x93X\xd7\xb0\x15B\"\bi" 501 -
10.10.2.250 - - [28/Jul/2003:19:43:31 -0400]
"\xe8m}\xfe\x1c\xa2\xc3)\x10HD%" 501 -
10.10.2.250 - - [28/Jul/2003:19:43:41 -0400]
"\x87V\x1dn\x87Y\xf8\x18\xc4\xc6\xc0\x1b" 501 -
10.10.2.250 - - [28/Jul/2003:19:44:11 -0400]
"\x99\xb2\xf3\xd2m\x8cm\xfc~\xb9g+" 501 -
10.10.2.250 - - [28/Jul/2003:19:44:22 -0400] "\xa1&{\xbad\xf2\x95H\x11\x10"
501 -
10.10.2.250 - - [28/Jul/2003:19:45:16 -0400] "GET
/Class3CodeSigningCA2001.crl HTTP/1.1" 404 366
10.10.2.250 - - [28/Jul/2003:19:45:43 -0400] "sZ\xd0:\x93t\xddK\x10" 501 -

A little later....

10.10.2.250 - - [28/Jul/2003:20:00:32 -0400] "POST /gs_med HTTP/1.1" 404 366
10.10.2.250 - - [28/Jul/2003:20:03:33 -0400] "POST
/servlet6/servlet/SbStartServlet?SbUID=F099DA07E7B74C97829E99A0E8A1240E&SbSI
D=E3F78FCF5E1E42DCBDD5A2FB52E08DDF HTTP/1.1" 404 366
10.10.2.250 - - [28/Jul/2003:20:03:34 -0400] "GET
/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
HTTP/1.1" 404 366
10.10.2.250 - - [28/Jul/2003:20:03:34 -0400] "GET
/OffersDataGZ?update=20030629145120 HTTP/1.1" 404 366
10.10.2.250 - - [28/Jul/2003:20:03:38 -0400] "GET
/us/kmdstart.htm?country=us&client=kmd&ver=202&noad=0 HTTP/1.1" 404 366
10.10.2.250 - - [28/Jul/2003:20:15:16 -0400] "GET
/Class3CodeSigningCA2001.crl HTTP/1.1" 404 366
10.10.2.250 - - [28/Jul/2003:20:20:05 -0400] "POST
/lcgi-bin/UPD/empi.cgi?geo=-5:00_USA_845&cm=0&tsid=2&lng=ENU&id_vlz=2f8ef706
37614444a4a1b7fcf7cd884f&inf=8013&ov=0.0.1.1481&venid=ag&d=470&num=819&src=E
App.0&ver=scan.3500&prod=scan HTTP/1.1" 404 366
10.10.2.250 - - [28/Jul/2003:20:45:17 -0400] "GET
/Class3CodeSigningCA2001.crl HTTP/1.1" 404 366
10.10.2.250 - - [28/Jul/2003:21:15:17 -0400] "GET
/Class3CodeSigningCA2001.crl HTTP/1.1" 404 366

That last section looks like a restart. It looks like
OffersDataGZ?update=20030629145120 Is Causing this mess, Im not sure yet. It
looks to be heading towards whenu.com SaveNow, A known malware bundled with
KaZZa.  I will look into it more in the coming days.

Sal


---------------------------------------------------------------------------
----------------------------------------------------------------------------