1. Forum
  2. Usenet
  3. UK.COMP.HOME-NETWORKING

  • anyone recognise the malware causing this please? (from July 2015 -

    From Mike Scott@21:1/5 to All on Tue Mar 15 10:17:27 2016
    A problem understood.....

    Middle of last year, I wrote:
    Hi, my apache web server is moaning about one local client (my
    son's) trying to access non-existent pages, in a pattern that looks
    as though W*Ws malware is present there. My son claims to have done
    a full avast scan with nothing showing up. and disclaims knowledge
    of anything unusual on his machine.

    His machine has also tried to access my internet modem/router; it
    shouldn't even be aware of the existence of that, as he's on a
    separate network arm from that router, tucked behind a freebsd
    router/server box.
    ....
    They are (alpha order)

    /cgi-bin/a2/out.cgi
    /cgi-bin/ajaxmail
    /cgi-bin/arr/index.shtml
    /cgi-bin/at3/out.cgi
    /cgi-bin/atc/out.cgi
    (etc, etc)


    I thought others might be interested in the cause. Which turns out to be Avast's own software. They've quietly implemented something they call
    Home Network Security(*), which involves testing the home router box for various security issues. The only problem here being that the "router
    box" is actually my gateway freebsd machine, which is secure enough to
    moan about the probes -- although I do have to wonder why they've not
    happened for the last 7 months or so!!!

    On the face of it, a reasonable idea (except it's caused both of us a
    lot of aggro chasing it down), but now malware can hide its probes
    amongst avast's tests; not good. I suspect it's also illegal, at least
    in the UK; not that anyone could ever take action.

    Maybe I'll suggest he replace avast with something that doesn't do
    this.... any suggestions for something better (and £0)?


    For the interested, I dropped in a perl script to dump the environment
    and cgi parameters when one of these was called. It popped up a log with
    (in particular)

    SCRIPT_NAME="/das/cgi-bin/session.cgi"
    HTTP_USER_AGENT="() { ignored; }; echo Content-Type: text/html; echo ;
    echo AVAST-HNS-SCAN-INFECTED ;"

    So presumably testing for the bash vulnerability. What you're supposed
    to do about it if it's found is anyone's guess.




    (*) https://blog.avast.com/2014/11/04/avast-2015-new-feature-home-network-security-scanning/


    --
    Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
    Harlow Essex England

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From cl@isbd.net@21:1/5 to Mike Scott on Tue Mar 15 11:58:23 2016
    Mike Scott <usenet.16@scottsonline.org.uk.invalid> wrote:
    A problem understood.....

    Middle of last year, I wrote:
    Hi, my apache web server is moaning about one local client (my
    son's) trying to access non-existent pages, in a pattern that looks
    as though W*Ws malware is present there. My son claims to have done
    a full avast scan with nothing showing up. and disclaims knowledge
    of anything unusual on his machine.

    His machine has also tried to access my internet modem/router; it
    shouldn't even be aware of the existence of that, as he's on a
    separate network arm from that router, tucked behind a freebsd
    router/server box.
    ....
    They are (alpha order)

    /cgi-bin/a2/out.cgi
    /cgi-bin/ajaxmail
    /cgi-bin/arr/index.shtml
    /cgi-bin/at3/out.cgi
    /cgi-bin/atc/out.cgi
    (etc, etc)


    I thought others might be interested in the cause. Which turns out to be Avast's own software. They've quietly implemented something they call
    Home Network Security(*), which involves testing the home router box for various security issues. The only problem here being that the "router
    box" is actually my gateway freebsd machine, which is secure enough to
    moan about the probes -- although I do have to wonder why they've not happened for the last 7 months or so!!!

    On the face of it, a reasonable idea (except it's caused both of us a
    lot of aggro chasing it down), but now malware can hide its probes
    amongst avast's tests; not good. I suspect it's also illegal, at least
    in the UK; not that anyone could ever take action.

    Maybe I'll suggest he replace avast with something that doesn't do
    this.... any suggestions for something better (and £0)?


    For the interested, I dropped in a perl script to dump the environment
    and cgi parameters when one of these was called. It popped up a log with
    (in particular)

    SCRIPT_NAME="/das/cgi-bin/session.cgi"
    HTTP_USER_AGENT="() { ignored; }; echo Content-Type: text/html; echo ;
    echo AVAST-HNS-SCAN-INFECTED ;"

    So presumably testing for the bash vulnerability. What you're supposed
    to do about it if it's found is anyone's guess.

    Absolutely typical, the whole 'anti-virus' industry is a huge con as
    far as I'm concerned.

    When I (or my son, who is better at it) investigate slow MS Windows
    systems it's nine times out of ten due to Norton or some other
    'protection' software hogging the disk or CPU.

    --
    Chris Green
    ·

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)