I'll do a scan and post what I find
Printable View
I'll do a scan and post what I find
Perhaps you should concentrate on the machine that's causing the requests instead of trying to find out what the login.fric.cn host is?
As phish already pointed out.. It's probably linked to Cool Web Search.. Now go and clean that machine ;)
The (default) page does indeed show a form:
It's probably a stub. If you really want to know what it does take a closer look at the requests the infected machine is sending.. Fire up your favorite sniffer and capture that traffic..Code:dice@maelcum:~>nslookup login.fric.cn
Server: 2001:xxxx:yyyy:1::2
Address: 2001:xxxx:yyyy:1::2#53
Non-authoritative answer:
Name: login.fric.cn
Address: 64.71.167.64
dice@maelcum:~>nc 64.71.167.64 80
GET / HTTP/1.1
Host: login.fric.cn
HTTP/1.1 200 OK
Content-Length: 95
Content-Type: text/html
Server: ********.embedded/0.9
<FORM ACTION="http://www.microsoft.com" METHOD=POST>
<input type=submit value=" Go! ">
</FORM>
Whois on the IP shows it's owned by Hurricane Electric Internet Services.
Sirdice:
Thanks for that. I can get to that address, but can't resolve via dns.
Oh well, doesn't really matter anyway.
Yes, I've seen that it looks at that webpage everytime i connect to some webpage with IE, so its probably coolwebsearch or something simmilar, however, i'm curious about what it actually sends so I'll keep for some time to find out hehehe.