-
August 31st, 2006, 01:42 PM
#11
Junior Member
I'll do a scan and post what I find
-
August 31st, 2006, 03:18 PM
#12
Perhaps you should concentrate on the machine that's causing the requests instead of trying to find out what the login.fric.cn host is?
As phish already pointed out.. It's probably linked to Cool Web Search.. Now go and clean that machine
The (default) page does indeed show a form:
Code:
dice@maelcum:~>nslookup login.fric.cn
Server: 2001:xxxx:yyyy:1::2
Address: 2001:xxxx:yyyy:1::2#53
Non-authoritative answer:
Name: login.fric.cn
Address: 64.71.167.64
dice@maelcum:~>nc 64.71.167.64 80
GET / HTTP/1.1
Host: login.fric.cn
HTTP/1.1 200 OK
Content-Length: 95
Content-Type: text/html
Server: ********.embedded/0.9
<FORM ACTION="http://www.microsoft.com" METHOD=POST>
<input type=submit value=" Go! ">
</FORM>
It's probably a stub. If you really want to know what it does take a closer look at the requests the infected machine is sending.. Fire up your favorite sniffer and capture that traffic..
Whois on the IP shows it's owned by Hurricane Electric Internet Services.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 31st, 2006, 03:32 PM
#13
Sirdice:
Thanks for that. I can get to that address, but can't resolve via dns.
Oh well, doesn't really matter anyway.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
August 31st, 2006, 09:42 PM
#14
Junior Member
Yes, I've seen that it looks at that webpage everytime i connect to some webpage with IE, so its probably coolwebsearch or something simmilar, however, i'm curious about what it actually sends so I'll keep for some time to find out hehehe.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|