gushi: (Default)

Huh? What's the Bagle problem? No, it has nothing to do with not being able to find a decent bagel store in California.
(Although that's definitely also a problem.)

It's not a problem per se, except that my webserver logs have hundreds of hits like this:

prime.gushi.org 71.30.188.182 - - [06/Jun/2009:15:02:08 -0400] "GET /777.gif HTTP/1.1" 404 324 "-" "Mozilla/4.0 
  (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; GTB5)"
prime.gushi.org 98.175.208.182 - - [06/Jun/2009:15:02:35 -0400] "GET /777.gif HTTP/1.1" 404 324 "-" "Mozilla/4.0 
  (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
prime.gushi.org 71.242.102.171 - - [06/Jun/2009:15:02:41 -0400] "GET /777.gif HTTP/1.1" 404 324 "-" "Mozilla/4.0 
  (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

Know what that is? It's a virus. One that specifically tries to download an exe-disguised-as-a-gif from prime.gushi.org.
That file was never actually available for download, but (I guess because of my security activities) I was targeted.

In fact, http://prime.gushi.org has always just returned a "forbidden" page.

So here's how it will work.

1) This site now rotates its logs daily. 2) A tool goes through "yesterdays" logs and parses them (this bit is already written). 3) It all gets stuck in a database. The time-field (the bit in the []'s) gets rewritten as a unixtime to handle the annoyance of timezone conversion (since unixtimes are all utc). 4) A tool then goes through the database, looks at all the "seen today" hits, and runs abuseEmail on the ips, and complains in the right direction.
5) This also gets logged in a database, so that I can see every report I've submitted to a given abuse contact, and track historicals.

I vaugely wonder if these infected machines would accept cookies so I could track them that way. The user-agents are not unique enough in some cases.

The problem is with #4 right now: AbuseEmail seems more than a little broken. It looks for SOA records in places it should be trying WHOIS, and it seems rather uneducated about modern whois/rwhois servers. I've contacted the author. It hasn't been maintained since 2001. I might have to fork it. It might also work better as a module. I also haven't structured the DB yet, but that's trivial.

If any of you coders out there want to try and help out with this, I'm more than happy to share credit. I've suggested to my job they might be interested in this data, but there doesn't seem to be much excitement. It's one (much older) worm, and not nearly as prevalent as some of the others out there. Still, with the right amount of work, I could singlehandedly wipe a virus off the planet.

I've already considered the fact: these computers are going to download a file from me, and run it silently with administrator privileges. I could give them a virus-cleaning, or even a courtesy-reformat, but that's defintiely the wrong thing to do.

gushi: (Default)

Huh? What's the Bagle problem? No, it has nothing to do with not being able to find a decent bagel store in California.
(Although that's definitely also a problem.)

It's not a problem per se, except that my webserver logs have hundreds of hits like this:

prime.gushi.org 71.30.188.182 - - [06/Jun/2009:15:02:08 -0400] "GET /777.gif HTTP/1.1" 404 324 "-" "Mozilla/4.0 
  (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; GTB5)"
prime.gushi.org 98.175.208.182 - - [06/Jun/2009:15:02:35 -0400] "GET /777.gif HTTP/1.1" 404 324 "-" "Mozilla/4.0 
  (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
prime.gushi.org 71.242.102.171 - - [06/Jun/2009:15:02:41 -0400] "GET /777.gif HTTP/1.1" 404 324 "-" "Mozilla/4.0 
  (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

Know what that is? It's a virus. One that specifically tries to download an exe-disguised-as-a-gif from prime.gushi.org.
That file was never actually available for download, but (I guess because of my security activities) I was targeted.

In fact, http://prime.gushi.org has always just returned a "forbidden" page.

So here's how it will work.

1) This site now rotates its logs daily. 2) A tool goes through "yesterdays" logs and parses them (this bit is already written). 3) It all gets stuck in a database. The time-field (the bit in the []'s) gets rewritten as a unixtime to handle the annoyance of timezone conversion (since unixtimes are all utc). 4) A tool then goes through the database, looks at all the "seen today" hits, and runs abuseEmail on the ips, and complains in the right direction.
5) This also gets logged in a database, so that I can see every report I've submitted to a given abuse contact, and track historicals.

I vaugely wonder if these infected machines would accept cookies so I could track them that way. The user-agents are not unique enough in some cases.

The problem is with #4 right now: AbuseEmail seems more than a little broken. It looks for SOA records in places it should be trying WHOIS, and it seems rather uneducated about modern whois/rwhois servers. I've contacted the author. It hasn't been maintained since 2001. I might have to fork it. It might also work better as a module. I also haven't structured the DB yet, but that's trivial.

If any of you coders out there want to try and help out with this, I'm more than happy to share credit. I've suggested to my job they might be interested in this data, but there doesn't seem to be much excitement. It's one (much older) worm, and not nearly as prevalent as some of the others out there. Still, with the right amount of work, I could singlehandedly wipe a virus off the planet.

I've already considered the fact: these computers are going to download a file from me, and run it silently with administrator privileges. I could give them a virus-cleaning, or even a courtesy-reformat, but that's defintiely the wrong thing to do.

August 2017

S M T W T F S
  12345
678 9101112
13141516171819
20212223242526
27 28293031  

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 26th, 2017 07:12 am
Powered by Dreamwidth Studios