logo

Mon 21 Jan 2002's Blog

Today while I was running the Puakma web server on my laptop I noticed a string of reject GET requests from IP address 194.159.138.181. Assuming (hoping) the server was IIS it was trying to get access to the "scripts" directory using the Recursive Directory Vulnerability (or whatever it was called).

The first thing I did was go to this address in IE. Ironically it is running IIS 4.0. All appears normal until you see the extra "hidden" window it launched (top=6000,left=6000). The address launched is a strange one: "mhtml:http://194.159.138.181/readme.eml". This tries to launch a .wav sound file in IE's Media Player. Not having this enabled I was prompted what I wanted to do with the file "wbkF3.tmp.wav". I saved it to my desktop. Being careful not to open it, I launched it in a text editor. In it I found lines identifying it as harmful, such as: "Concept Virus (CV) V.6 (This's CV No Nimda)"

Next thing I did was go to UXN's Spam Combat site and do a Whois on that IP. This showed it as belonging to Oceanus Group ltd, Birmingham. A seemingly legit company. The address was listed as being hosted by Demon so I have mailed there abuse department and await further news.

Things like this bore me so much..... even though I did learn that Symantec run their support site on Domino. Wonder if they got the Print Friendly trick from here??. Also found a list of common JavaScript syntax errors

About This Page

Written by Jake Howlett on Mon 21 Jan 2002

Share This Page

# ( ) '

Comments

Commenting is disabled on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content