Something connecting to a webpage every minute

**karb0n** · August 31st, 2006, 01:42 PM

I'll do a scan and post what I find

***SirDice*** · August 31st, 2006, 03:18 PM

Perhaps you should concentrate on the machine that's causing the requests instead of trying to find out what the login.fric.cn host is?

As phish already pointed out.. It's probably linked to Cool Web Search.. Now go and clean that machine

The (default) page does indeed show a form:

Code:

dice@maelcum:~>nslookup login.fric.cn
Server:         2001:xxxx:yyyy:1::2
Address:        2001:xxxx:yyyy:1::2#53

Non-authoritative answer:
Name:   login.fric.cn
Address: 64.71.167.64

dice@maelcum:~>nc 64.71.167.64 80
GET / HTTP/1.1
Host: login.fric.cn

HTTP/1.1 200 OK
Content-Length: 95
Content-Type: text/html
Server: ********.embedded/0.9

&lt;FORM ACTION="http://www.microsoft.com" METHOD=POST&gt;
&lt;input type=submit value=" Go! "&gt;
&lt;/FORM&gt;

It's probably a stub. If you really want to know what it does take a closer look at the requests the infected machine is sending.. Fire up your favorite sniffer and capture that traffic..

Whois on the IP shows it's owned by Hurricane Electric Internet Services.

***phishphreek*** · August 31st, 2006, 03:32 PM

Sirdice:
Thanks for that. I can get to that address, but can't resolve via dns.
Oh well, doesn't really matter anyway.

**karb0n** · August 31st, 2006, 09:42 PM

Yes, I've seen that it looks at that webpage everytime i connect to some webpage with IE, so its probably coolwebsearch or something simmilar, however, i'm curious about what it actually sends so I'll keep for some time to find out hehehe.

Thread: Something connecting to a webpage every minute

Thread Tools

Display

Posting Permissions