date:20160104

Re: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Kent Frazier



You might try submitting the file at https://www.virustotal.com
and see what it detects.

On 1/4/16 8:18 AM, Michael D. Berger wrote:

Examining with Lemmy (A Windows version of VI), it looks like a binary file.
Size is 181.4 KB.
I am considering my favorite virus remover: DBAN, but it would take several
days work to
recover from that.

Mike.
--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/



-Original Message-
From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
Sent: Monday, January 04, 2016 05:03
To: users@httpd.apache.org
Subject: RE: [users@httpd] Possible virus via httpd server

Well, what do you see if you examine the file in a text editor?


-Original Message-
From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
Sent: 04 January 2016 05:03
To: Apache-Users
Subject: [users@httpd] Possible virus via httpd server

Using my WinXP Firefox client to access my previously working httpd
2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my
index.html .  Do you think I have a virus on my Linux box?  I did
notice that my iptables is not as tight as it should be.

--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/





-







-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Michael D. Berger

I tried the submission you suggest.  It said it is an executable file,
suitable for my Linux box.  I don't think I am about to run it.  Note that
my ESET NOD32 virus software finds nothing wrong with it.

Thanks,
Mike.
--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/
  

> -Original Message-
> From: Kent Frazier [mailto:frazier...@sbcglobal.net] 
> Sent: Monday, January 04, 2016 13:57
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Possible virus via httpd server
> 
> 
> You might try submitting the file at 
> https://www.virustotal.com and see what it detects.
> 
> On 1/4/16 8:18 AM, Michael D. Berger wrote:
> > Examining with Lemmy (A Windows version of VI), it looks 
> like a binary file.
> > Size is 181.4 KB.
> > I am considering my favorite virus remover: DBAN, but it would take 
> > several days work to recover from that.
> >
> > Mike.
> > --
> > Michael D. Berger
> > m.d.ber...@ieee.org
> > http://www.rosemike.net/
> >
> >
> >> -Original Message-
> >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
> >> Sent: Monday, January 04, 2016 05:03
> >> To: users@httpd.apache.org
> >> Subject: RE: [users@httpd] Possible virus via httpd server
> >>
> >> Well, what do you see if you examine the file in a text editor?
> >>
> >>> -Original Message-
> >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
> >>> Sent: 04 January 2016 05:03
> >>> To: Apache-Users
> >>> Subject: [users@httpd] Possible virus via httpd server
> >>>
> >>> Using my WinXP Firefox client to access my previously 
> working httpd
> >>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my 
> >>> index.html .  Do you think I have a virus on my Linux box?  I did 
> >>> notice that my iptables is not as tight as it should be.
> >>>
> >>> --
> >>> Michael D. Berger
> >>> m.d.ber...@ieee.org
> >>> http://www.rosemike.net/
> >>>
> >>>
> >>>
> >>>
> >> 
> -
> >>
> >>
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Michael D. Berger

Following your suggestion, I made use of my daily backups to install
the httpd.conf from two days ago, when all was well. The problem was
the same.  I tried sublitting a file to sophos, but I would have to
join, and I am not ready for that.  See also my next email.

Still heading toward DBAN.

Thanks,
Mike.

--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/
  

> -Original Message-
> From: Keith Roberts [mailto:keith.robe...@ecric.nhs.uk] 
> Sent: Monday, January 04, 2016 11:25
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Possible virus via httpd server
> 
> Hi Mike.
> 
> You might like to send this to sophos for analysis:
> 
> https://www.sophos.com/en-us/support/knowledgebase/11490.aspx
> 
> As index.html is the default page if nothing else is 
> configured, has your httpd.conf file been modified to server 
> this binary file instead of index.html?
> 
> HTH,
> 
> Keith Roberts
> 
> On 4 Jan 2016, at 16:18, Michael D. Berger 
>  wrote:
> 
> > Warning: This message contains unverified links which may 
> not be safe.  You should only click links if you are sure 
> they are from a trusted source.
> > Examining with Lemmy (A Windows version of VI), it looks 
> like a binary file.
> > Size is 181.4 KB.
> > I am considering my favorite virus remover: DBAN, but it would take 
> > several days work to recover from that.
> > 
> > Mike.
> > --
> > Michael D. Berger
> > m.d.ber...@ieee.org
> > http://www.rosemike.net/
> > 
> > 
> >> -Original Message-
> >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
> >> Sent: Monday, January 04, 2016 05:03
> >> To: users@httpd.apache.org
> >> Subject: RE: [users@httpd] Possible virus via httpd server
> >> 
> >> Well, what do you see if you examine the file in a text editor?
> >> 
> >>> -Original Message-
> >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
> >>> Sent: 04 January 2016 05:03
> >>> To: Apache-Users
> >>> Subject: [users@httpd] Possible virus via httpd server
> >>> 
> >>> Using my WinXP Firefox client to access my previously 
> working httpd
> >>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my 
> >>> index.html .  Do you think I have a virus on my Linux box?  I did 
> >>> notice that my iptables is not as tight as it should be.
> >>> 
> >>> --
> >>> Michael D. Berger
> >>> m.d.ber...@ieee.org
> >>> http://www.rosemike.net/
> >>> 
> >>> 
> >>> 
> >>> 
> >> 
> -
> >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >>> For additional commands, e-mail: users-h...@httpd.apache.org
> >>> 
> >>> 
> >> 
> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >> 
> > 
> > 
> > 
> -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> > 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Possible virus via httpd server

2016-01-04 Thread IdealGourmet

Stop to send emails in this adress You make an
error!!!

-Mensaje original-
De: Michael D. Berger [mailto:m.d.ber...@ieee.org] 
Enviado el: lundi 4 janvier 2016 21:42
Para: users@httpd.apache.org; frazier...@sbcglobal.net
Asunto: RE: [users@httpd] Possible virus via httpd server

I tried the submission you suggest.  It said it is an executable file,
suitable for my Linux box.  I don't think I am about to run it.  Note that
my ESET NOD32 virus software finds nothing wrong with it.

Thanks,
Mike.
--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/
  

> -Original Message-
> From: Kent Frazier [mailto:frazier...@sbcglobal.net]
> Sent: Monday, January 04, 2016 13:57
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Possible virus via httpd server
> 
> 
> You might try submitting the file at
> https://www.virustotal.com and see what it detects.
> 
> On 1/4/16 8:18 AM, Michael D. Berger wrote:
> > Examining with Lemmy (A Windows version of VI), it looks
> like a binary file.
> > Size is 181.4 KB.
> > I am considering my favorite virus remover: DBAN, but it would take 
> > several days work to recover from that.
> >
> > Mike.
> > --
> > Michael D. Berger
> > m.d.ber...@ieee.org
> > http://www.rosemike.net/
> >
> >
> >> -Original Message-
> >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
> >> Sent: Monday, January 04, 2016 05:03
> >> To: users@httpd.apache.org
> >> Subject: RE: [users@httpd] Possible virus via httpd server
> >>
> >> Well, what do you see if you examine the file in a text editor?
> >>
> >>> -Original Message-
> >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
> >>> Sent: 04 January 2016 05:03
> >>> To: Apache-Users
> >>> Subject: [users@httpd] Possible virus via httpd server
> >>>
> >>> Using my WinXP Firefox client to access my previously
> working httpd
> >>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my 
> >>> index.html .  Do you think I have a virus on my Linux box?  I did 
> >>> notice that my iptables is not as tight as it should be.
> >>>
> >>> --
> >>> Michael D. Berger
> >>> m.d.ber...@ieee.org
> >>> http://www.rosemike.net/
> >>>
> >>>
> >>>
> >>>
> >> 
> -
> >>
> >>
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Daniel Beardsmore

Well, what do you see if you examine the file in a text editor?

> -Original Message-
> From: Michael D. Berger [mailto:m.d.ber...@ieee.org] 
> Sent: 04 January 2016 05:03
> To: Apache-Users
> Subject: [users@httpd] Possible virus via httpd server
> 
> Using my WinXP Firefox client to access my previously working 
> httpd 2.4
> server
> on Fedora 23 gets a file named 1OfvyQ5L instead of my 
> index.html .  Do you
> think I have a
> virus on my Linux box?  I did notice that my iptables is not 
> as tight as it
> should be.
> 
> --
> Michael D. Berger
> m.d.ber...@ieee.org
> http://www.rosemike.net/
>  
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Michael D. Berger

It was not overwritten.  If you looked on the server, it was just fine.
But an executable was delivered instead.  In any case, it is gone
with the wind -- DBAN is now running on the server. Hopefully,
the reinstallation will work better.
 
Mike.
 
--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/
  
 


  _  

From: Dino B. [mailto:mypascal2...@gmail.com] 
Sent: Monday, January 04, 2016 19:36
To: users@httpd.apache.org
Subject: RE: [users@httpd] Possible virus via httpd server



Hmmm, index. Html is just default page???  Strange that that it got
overwritten by some executable

--
Dino Buljubasic


--
Dino Buljubasic
Cell 604 441 3560

Please pardon my brevity - sent from my mobile device.  Please excuse any
typos.

On Jan 4, 2016 12:38, "Michael D. Berger"  wrote:


Following your suggestion, I made use of my daily backups to install
the httpd.conf from two days ago, when all was well. The problem was
the same.  I tried sublitting a file to sophos, but I would have to
join, and I am not ready for that.  See also my next email.

Still heading toward DBAN.

Thanks,
Mike.

--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/


> -Original Message-
> From: Keith Roberts [mailto:keith.robe...@ecric.nhs.uk]
> Sent: Monday, January 04, 2016 11:25
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Possible virus via httpd server
>
> Hi Mike.
>
> You might like to send this to sophos for analysis:
>
> https://www.sophos.com/en-us/support/knowledgebase/11490.aspx
>
> As index.html is the default page if nothing else is
> configured, has your httpd.conf file been modified to server
> this binary file instead of index.html?
>
> HTH,
>
> Keith Roberts
>
> On 4 Jan 2016, at 16:18, Michael D. Berger
>  wrote:
>
> > Warning: This message contains unverified links which may
> not be safe.  You should only click links if you are sure
> they are from a trusted source.
> > Examining with Lemmy (A Windows version of VI), it looks
> like a binary file.
> > Size is 181.4 KB.
> > I am considering my favorite virus remover: DBAN, but it would take
> > several days work to recover from that.
> >
> > Mike.
> > --
> > Michael D. Berger
> > m.d.ber...@ieee.org
> > http://www.rosemike.net/
> >
> >
> >> -Original Message-
> >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
> >> Sent: Monday, January 04, 2016 05:03
> >> To: users@httpd.apache.org
> >> Subject: RE: [users@httpd] Possible virus via httpd server
> >>
> >> Well, what do you see if you examine the file in a text editor?
> >>
> >>> -Original Message-
> >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
> >>> Sent: 04 January 2016 05:03
> >>> To: Apache-Users
> >>> Subject: [users@httpd] Possible virus via httpd server
> >>>
> >>> Using my WinXP Firefox client to access my previously
> working httpd
> >>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my
> >>> index.html .  Do you think I have a virus on my Linux box?  I did
> >>> notice that my iptables is not as tight as it should be.
> >>>
> >>> --
> >>> Michael D. Berger
> >>> m.d.ber...@ieee.org
> >>> http://www.rosemike.net/
> >>>
> >>>
> >>>
> >>>
> >>
> -
> >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >>> For additional commands, e-mail: users-h...@httpd.apache.org
> >>>
> >>>
> >>
> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >
> >
> >
> -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Michael D. Wood

Interestinglet us know what you find.

Sent from my iPhone

> On Jan 4, 2016, at 9:06 PM, Michael D. Berger  wrote:
> 
> I don't think index.html was changed, but I only took a quick look.
> I have it backed up in a tgz file, so when the Linux box comes back up
> (maybe tomorrow), I'll take a closer look
>  
> It is also possible that there was something wrong with httpd.config .
> It is quite complex, with numerous RewriteRule, etc.  However, even
> when I commented out ALL the virtual hosts, the problem persisted.
> But if I left a simple vhost and put a RewiteRule that (for reasons that I 
> don't
> know) it didn't like, then it returned a failure.  When I put it back 
> together,
> I'll build up httpd.config slowly.
>  
> Thanks,
> Mike.
> --
> Michael D. Berger
> m.d.ber...@ieee.org
> http://www.rosemike.net/
>  
> 
> From: Michael D. Wood [mailto:m...@itsecuritypros.org] 
> Sent: Monday, January 04, 2016 20:27
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Possible virus via httpd server
> 
> Was the index.html file modified in anyway?  Did it call the executable?  Any 
> rewrites or any other files added to the path index.html resided?
> 
> Sent from my iPhone
> 
>> On Jan 4, 2016, at 8:21 PM, Michael D. Berger  wrote:
>> 
>> It was not overwritten.  If you looked on the server, it was just fine.
>> But an executable was delivered instead.  In any case, it is gone
>> with the wind -- DBAN is now running on the server. Hopefully,
>> the reinstallation will work better.
>>  
>> Mike.
>>  
>> --
>> Michael D. Berger
>> m.d.ber...@ieee.org
>> http://www.rosemike.net/
>>  
>>  
>> 
>> From: Dino B. [mailto:mypascal2...@gmail.com] 
>> Sent: Monday, January 04, 2016 19:36
>> To: users@httpd.apache.org
>> Subject: RE: [users@httpd] Possible virus via httpd server
>> 
>> Hmmm, index. Html is just default page???  Strange that that it got 
>> overwritten by some executable
>> 
>> --
>> Dino Buljubasic
>> 
>> --
>> Dino Buljubasic
>> Cell 604 441 3560
>> 
>> Please pardon my brevity - sent from my mobile device.  Please excuse any 
>> typos.
>> 
>>> On Jan 4, 2016 12:38, "Michael D. Berger"  wrote:
>>> Following your suggestion, I made use of my daily backups to install
>>> the httpd.conf from two days ago, when all was well. The problem was
>>> the same.  I tried sublitting a file to sophos, but I would have to
>>> join, and I am not ready for that.  See also my next email.
>>> 
>>> Still heading toward DBAN.
>>> 
>>> Thanks,
>>> Mike.
>>> 
>>> --
>>> Michael D. Berger
>>> m.d.ber...@ieee.org
>>> http://www.rosemike.net/
>>> 
>>> 
>>> > -Original Message-
>>> > From: Keith Roberts [mailto:keith.robe...@ecric.nhs.uk]
>>> > Sent: Monday, January 04, 2016 11:25
>>> > To: users@httpd.apache.org
>>> > Subject: Re: [users@httpd] Possible virus via httpd server
>>> >
>>> > Hi Mike.
>>> >
>>> > You might like to send this to sophos for analysis:
>>> >
>>> > https://www.sophos.com/en-us/support/knowledgebase/11490.aspx
>>> >
>>> > As index.html is the default page if nothing else is
>>> > configured, has your httpd.conf file been modified to server
>>> > this binary file instead of index.html?
>>> >
>>> > HTH,
>>> >
>>> > Keith Roberts
>>> >
>>> > On 4 Jan 2016, at 16:18, Michael D. Berger
>>> >  wrote:
>>> >
>>> > > Warning: This message contains unverified links which may
>>> > not be safe.  You should only click links if you are sure
>>> > they are from a trusted source.
>>> > > Examining with Lemmy (A Windows version of VI), it looks
>>> > like a binary file.
>>> > > Size is 181.4 KB.
>>> > > I am considering my favorite virus remover: DBAN, but it would take
>>> > > several days work to recover from that.
>>> > >
>>> > > Mike.
>>> > > --
>>> > > Michael D. Berger
>>> > > m.d.ber...@ieee.org
>>> > > http://www.rosemike.net/
>>> > >
>>> > >
>>> > >> -Original Message-
>>> > >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
>>> > >> Sent: Monday, January 04, 2016 05:03
>>> > >> To: users@httpd.apache.org
>>> > >> Subject: RE: [users@httpd] Possible virus via httpd server
>>> > >>
>>> > >> Well, what do you see if you examine the file in a text editor?
>>> > >>
>>> > >>> -Original Message-
>>> > >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
>>> > >>> Sent: 04 January 2016 05:03
>>> > >>> To: Apache-Users
>>> > >>> Subject: [users@httpd] Possible virus via httpd server
>>> > >>>
>>> > >>> Using my WinXP Firefox client to access my previously
>>> > working httpd
>>> > >>> 2.4 server on Fedora 23 gets a file named  1OfvyQ5L instead 
>>> > >>> of my
>>> > >>> index.html .  Do you think I have a virus on my Linux box?  I did
>>> > >>> notice that my iptables is not as tight as it should be.
>>> > >>>
>>> > >>> --
>>> > >>> Michael D. Berger
>>> > >>> m.d.ber...@ieee.org
>>> > >>> http://www.rosemike.net/
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>
>>> >

Re: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Michael D. Wood

Was the index.html file modified in anyway?  Did it call the executable?  Any 
rewrites or any other files added to the path index.html resided?

Sent from my iPhone

> On Jan 4, 2016, at 8:21 PM, Michael D. Berger  wrote:
> 
> It was not overwritten.  If you looked on the server, it was just fine.
> But an executable was delivered instead.  In any case, it  is gone
> with the wind -- DBAN is now running on the server. Hopefully,
> the reinstallation will work better.
>  
> Mike.
>  
> --
> Michael D. Berger
> m.d.ber...@ieee.org
> http://www.rosemike.net/
>  
>  
> 
> From: Dino B. [mailto:mypascal2...@gmail.com] 
> Sent: Monday, January 04, 2016 19:36
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Possible virus via httpd server
> 
> Hmmm, index. Html is just default page???  Strange that that it got 
> overwritten by some executable
> 
> --
> Dino Buljubasic
> 
> --
> Dino Buljubasic
> Cell 604 441 3560
> 
> Please pardon my brevity - sent from my mobile device.  Please excuse any 
> typos.
> 
>> On Jan 4, 2016 12:38, "Michael D. Berger"  wrote:
>> Following your suggestion, I made use of my daily backups to install
>> the httpd.conf from two days ago, when all was well. The problem was
>> the same.  I tried sublitting a file to sophos, but I would have to
>> join, and I am not ready for that.  See also my next  email.
>> 
>> Still heading toward DBAN.
>> 
>> Thanks,
>> Mike.
>> 
>> --
>> Michael D. Berger
>> m.d.ber...@ieee.org
>> http://www.rosemike.net/
>> 
>> 
>> > -Original Message-
>> > From: Keith Roberts [mailto:keith.robe...@ecric.nhs.uk]
>> > Sent: Monday, January 04, 2016 11:25
>> > To: users@httpd.apache.org
>> > Subject: Re: [users@httpd] Possible virus via httpd server
>> >
>> > Hi Mike.
>> >
>> > You might like to send this to sophos for analysis:
>> >
>> > https://www.sophos.com/en-us/support/knowledgebase/11490.aspx
>> >
>> > As index.html is the default page if nothing else is
>> > configured, has your httpd.conf file been modified to server
>> > this binary file instead of index.html?
>> >
>> > HTH,
>> >
>> > Keith Roberts
>> >
>> > On 4 Jan 2016, at 16:18, Michael D. Berger
>> >  wrote:
>> >
>> > > Warning: This message contains unverified links which may
>> > not be safe.  You should only click links if you are sure
>> > they are from a trusted source.
>> > > Examining with Lemmy (A Windows version of VI), it looks
>> > like a binary file.
>> > > Size is 181.4 KB.
>> > > I am considering my favorite virus remover: DBAN, but it would take
>> > > several days work to recover from that.
>> > >
>> > > Mike.
>> > > --
>> > > Michael D. Berger
>> > > m.d.ber...@ieee.org
>> > > http://www.rosemike.net/
>> > >
>> > >
>> > >> -Original Message-
>> > >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
>> > >> Sent: Monday, January 04, 2016 05:03
>> > >> To: users@httpd.apache.org
>> > >> Subject: RE: [users@httpd] Possible virus via httpd server
>> > >>
>> > >> Well, what do you see if you examine the file in a text editor?
>> > >>
>> > >>> -Original Message-
>> > >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
>> > >>> Sent: 04 January 2016 05:03
>> > >>> To: Apache-Users
>> > >>> Subject: [users@httpd] Possible virus via httpd server
>> > >>>
>> > >>> Using my WinXP Firefox client to access my previously
>> > working httpd
>> > >>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my
>> > >>> index.html .  Do you think I have a virus on my Linux box?  I did
>> > >>> notice that my iptables is not as tight as it should be.
>> > >>>
>> > >>> --
>> > >>> Michael D. Berger
>> > >>> m.d.ber...@ieee.org
>> > >>> http://www.rosemike.net/
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>
>> > -
>> > >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > >>> For additional commands, e-mail: users-h...@httpd.apache.org
>> > >>>
>> > >>>
>> > >>
>> > -
>> > >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > >> For additional commands, e-mail: users-h...@httpd.apache.org
>> > >>
>> > >
>> > >
>> > >
>> > -
>> > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > > For additional commands, e-mail: users-h...@httpd.apache.org
>> > >
>> >
>> >
>> > -
>> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > For additional commands, e-mail: users-h...@httpd.apache.org
>> >
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Dino B.

Hmmm, index. Html is just default page???  Strange that that it got
overwritten by some executable

--
Dino Buljubasic

--
Dino Buljubasic
Cell 604 441 3560

Please pardon my brevity - sent from my mobile device.  Please excuse any
typos.
On Jan 4, 2016 12:38, "Michael D. Berger"  wrote:

> Following your suggestion, I made use of my daily backups to install
> the httpd.conf from two days ago, when all was well. The problem was
> the same.  I tried sublitting a file to sophos, but I would have to
> join, and I am not ready for that.  See also my next email.
>
> Still heading toward DBAN.
>
> Thanks,
> Mike.
>
> --
> Michael D. Berger
> m.d.ber...@ieee.org
> http://www.rosemike.net/
>
>
> > -Original Message-
> > From: Keith Roberts [mailto:keith.robe...@ecric.nhs.uk]
> > Sent: Monday, January 04, 2016 11:25
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] Possible virus via httpd server
> >
> > Hi Mike.
> >
> > You might like to send this to sophos for analysis:
> >
> > https://www.sophos.com/en-us/support/knowledgebase/11490.aspx
> >
> > As index.html is the default page if nothing else is
> > configured, has your httpd.conf file been modified to server
> > this binary file instead of index.html?
> >
> > HTH,
> >
> > Keith Roberts
> >
> > On 4 Jan 2016, at 16:18, Michael D. Berger
> >  wrote:
> >
> > > Warning: This message contains unverified links which may
> > not be safe.  You should only click links if you are sure
> > they are from a trusted source.
> > > Examining with Lemmy (A Windows version of VI), it looks
> > like a binary file.
> > > Size is 181.4 KB.
> > > I am considering my favorite virus remover: DBAN, but it would take
> > > several days work to recover from that.
> > >
> > > Mike.
> > > --
> > > Michael D. Berger
> > > m.d.ber...@ieee.org
> > > http://www.rosemike.net/
> > >
> > >
> > >> -Original Message-
> > >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
> > >> Sent: Monday, January 04, 2016 05:03
> > >> To: users@httpd.apache.org
> > >> Subject: RE: [users@httpd] Possible virus via httpd server
> > >>
> > >> Well, what do you see if you examine the file in a text editor?
> > >>
> > >>> -Original Message-
> > >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
> > >>> Sent: 04 January 2016 05:03
> > >>> To: Apache-Users
> > >>> Subject: [users@httpd] Possible virus via httpd server
> > >>>
> > >>> Using my WinXP Firefox client to access my previously
> > working httpd
> > >>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my
> > >>> index.html .  Do you think I have a virus on my Linux box?  I did
> > >>> notice that my iptables is not as tight as it should be.
> > >>>
> > >>> --
> > >>> Michael D. Berger
> > >>> m.d.ber...@ieee.org
> > >>> http://www.rosemike.net/
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > -
> > >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > >>> For additional commands, e-mail: users-h...@httpd.apache.org
> > >>>
> > >>>
> > >>
> > -
> > >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > >> For additional commands, e-mail: users-h...@httpd.apache.org
> > >>
> > >
> > >
> > >
> > -
> > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > > For additional commands, e-mail: users-h...@httpd.apache.org
> > >
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

RE: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Michael D. Berger

I don't think index.html was changed, but I only took a quick look.
I have it backed up in a tgz file, so when the Linux box comes back up
(maybe tomorrow), I'll take a closer look

It is also possible that there was something wrong with httpd.config .
It is quite complex, with numerous RewriteRule, etc.  However, even
when I commented out ALL the virtual hosts, the problem persisted.
But if I left a simple vhost and put a RewiteRule that (for reasons that I
don't
know) it didn't like, then it returned a failure.  When I put it back
together,
I'll build up httpd.config slowly.

Thanks,
Mike.
--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/

  _  

From: Michael D. Wood [mailto:m...@itsecuritypros.org] 
Sent: Monday, January 04, 2016 20:27
To: users@httpd.apache.org
Subject: Re: [users@httpd] Possible virus via httpd server

Was the index.html file modified in anyway?  Did it call the executable?
Any rewrites or any other files added to the path index.html resided?

Sent from my iPhone

On Jan 4, 2016, at 8:21 PM, Michael D. Berger  wrote:

It was not overwritten.  If you looked on the server, it was just fine.
But an executable was delivered instead.  In any case, it is gone
with the wind -- DBAN is now running on the server. Hopefully,
the reinstallation will work better.

Mike.

--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/

  _  

From: Dino B. [mailto:mypascal2...@gmail.com] 
Sent: Monday, January 04, 2016 19:36
To: users@httpd.apache.org
Subject: RE: [users@httpd] Possible virus via httpd server

Hmmm, index. Html is just default page???  Strange that that it got
overwritten by some executable

--
Dino Buljubasic

--
Dino Buljubasic
Cell 604 441 3560

Please pardon my brevity - sent from my mobile device.  Please excuse any
typos.

On Jan 4, 2016 12:38, "Michael D. Berger"  wrote:

Following your suggestion, I made use of my daily backups to install
the httpd.conf from two days ago, when all was well. The problem was
the same.  I tried sublitting a file to sophos, but I would have to
join, and I am not ready for that.  See also my next email.

Still heading toward DBAN.

Thanks,
Mike.

--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/

> -Original Message-
> From: Keith Roberts [mailto:keith.robe...@ecric.nhs.uk]
> Sent: Monday, January 04, 2016 11:25
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Possible virus via httpd server
>
> Hi Mike.
>
> You might like to send this to sophos for analysis:
>
> https://www.sophos.com/en-us/support/knowledgebase/11490.aspx
>
> As index.html is the default page if nothing else is
> configured, has your httpd.conf file been modified to server
> this binary file instead of index.html?
>
> HTH,
>
> Keith Roberts
>
> On 4 Jan 2016, at 16:18, Michael D. Berger
>  wrote:
>
> > Warning: This message contains unverified links which may
> not be safe.  You should only click links if you are sure
> they are from a trusted source.
> > Examining with Lemmy (A Windows version of VI), it looks
> like a binary file.
> > Size is 181.4 KB.
> > I am considering my favorite virus remover: DBAN, but it would take
> > several days work to recover from that.
> >
> > Mike.
> > --
> > Michael D. Berger
> > m.d.ber...@ieee.org
> > http://www.rosemike.net/
> >
> >
> >> -Original Message-
> >> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
> >> Sent: Monday, January 04, 2016 05:03
> >> To: users@httpd.apache.org
> >> Subject: RE: [users@httpd] Possible virus via httpd server
> >>
> >> Well, what do you see if you examine the file in a text editor?
> >>
> >>> -Original Message-
> >>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
> >>> Sent: 04 January 2016 05:03
> >>> To: Apache-Users
> >>> Subject: [users@httpd] Possible virus via httpd server
> >>>
> >>> Using my WinXP Firefox client to access my previously
> working httpd
> >>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my
> >>> index.html .  Do you think I have a virus on my Linux box?  I did
> >>> notice that my iptables is not as tight as it should be.
> >>>
> >>> --
> >>> Michael D. Berger
> >>> m.d.ber...@ieee.org
> >>> http://www.rosemike.net/
> >>>
> >>>
> >>>
> >>>
> >>
> -
> >>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >>> For additional commands, e-mail: users-h...@httpd.apache.org
> >>>
> >>>
> >>
> -
> >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> >> For additional commands, e-mail: users-h...@httpd.apache.org
> >>
> >
> >
> >
> -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
>
>
>

RE: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Michael D. Berger

Examining with Lemmy (A Windows version of VI), it looks like a binary file.
Size is 181.4 KB.
I am considering my favorite virus remover: DBAN, but it would take several
days work to
recover from that.

Mike.
--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/
  

> -Original Message-
> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk] 
> Sent: Monday, January 04, 2016 05:03
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Possible virus via httpd server
> 
> Well, what do you see if you examine the file in a text editor?
> 
> > -Original Message-
> > From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
> > Sent: 04 January 2016 05:03
> > To: Apache-Users
> > Subject: [users@httpd] Possible virus via httpd server
> > 
> > Using my WinXP Firefox client to access my previously working httpd 
> > 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my 
> > index.html .  Do you think I have a virus on my Linux box?  I did 
> > notice that my iptables is not as tight as it should be.
> > 
> > --
> > Michael D. Berger
> > m.d.ber...@ieee.org
> > http://www.rosemike.net/
> >  
> > 
> > 
> > 
> -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> > 
> > 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Daniel Beardsmore

If the file begins "MZ" (the MS-DOS stub found at the start of Windows 
executables) then it's very likely to be a Windows program intended for 
execution, which would be bad news.

It's interesting that you say "index.html" -- does this server serve all static 
pages, or does index.html reference a CMS that could have vulnerabilities?

> -Original Message-
> From: Michael D. Berger [mailto:m.d.ber...@ieee.org] 
> Sent: 04 January 2016 16:18
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] Possible virus via httpd server
> 
> Examining with Lemmy (A Windows version of VI), it looks like 
> a binary file.
> Size is 181.4 KB.
> I am considering my favorite virus remover: DBAN, but it 
> would take several
> days work to
> recover from that.
> 
> Mike.
> --
> Michael D. Berger
> m.d.ber...@ieee.org
> http://www.rosemike.net/
>   
> 
> > -Original Message-
> > From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk] 
> > Sent: Monday, January 04, 2016 05:03
> > To: users@httpd.apache.org
> > Subject: RE: [users@httpd] Possible virus via httpd server
> > 
> > Well, what do you see if you examine the file in a text editor?
> > 
> > > -Original Message-
> > > From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
> > > Sent: 04 January 2016 05:03
> > > To: Apache-Users
> > > Subject: [users@httpd] Possible virus via httpd server
> > > 
> > > Using my WinXP Firefox client to access my previously 
> working httpd 
> > > 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my 
> > > index.html .  Do you think I have a virus on my Linux box?  I did 
> > > notice that my iptables is not as tight as it should be.
> > > 
> > > --
> > > Michael D. Berger
> > > m.d.ber...@ieee.org
> > > http://www.rosemike.net/
> > >  
> > > 
> > > 
> > > 
> > 
> -
> > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > > For additional commands, e-mail: users-h...@httpd.apache.org
> > > 
> > > 
> > 
> -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> > 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Keith Roberts

Hi Mike.

You might like to send this to sophos for analysis:

https://www.sophos.com/en-us/support/knowledgebase/11490.aspx

As index.html is the default page if nothing else is configured, has your 
httpd.conf file been modified to server this binary file
instead of index.html?

HTH,

Keith Roberts

On 4 Jan 2016, at 16:18, Michael D. Berger  wrote:

> Warning: This message contains unverified links which may not be safe.  You 
> should only click links if you are sure they are from a trusted source.
> Examining with Lemmy (A Windows version of VI), it looks like a binary file.
> Size is 181.4 KB.
> I am considering my favorite virus remover: DBAN, but it would take several
> days work to
> recover from that.
> 
> Mike.
> --
> Michael D. Berger
> m.d.ber...@ieee.org
> http://www.rosemike.net/
> 
> 
>> -Original Message-
>> From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk] 
>> Sent: Monday, January 04, 2016 05:03
>> To: users@httpd.apache.org
>> Subject: RE: [users@httpd] Possible virus via httpd server
>> 
>> Well, what do you see if you examine the file in a text editor?
>> 
>>> -Original Message-
>>> From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
>>> Sent: 04 January 2016 05:03
>>> To: Apache-Users
>>> Subject: [users@httpd] Possible virus via httpd server
>>> 
>>> Using my WinXP Firefox client to access my previously working httpd 
>>> 2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my 
>>> index.html .  Do you think I have a virus on my Linux box?  I did 
>>> notice that my iptables is not as tight as it should be.
>>> 
>>> --
>>> Michael D. Berger
>>> m.d.ber...@ieee.org
>>> http://www.rosemike.net/
>>> 
>>> 
>>> 
>>> 
>> -
>>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>>> For additional commands, e-mail: users-h...@httpd.apache.org
>>> 
>>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Possible virus via httpd server

RE: [users@httpd] Possible virus via httpd server

RE: [users@httpd] Possible virus via httpd server

RE: [users@httpd] Possible virus via httpd server

RE: [users@httpd] Possible virus via httpd server

RE: [users@httpd] Possible virus via httpd server

Re: [users@httpd] Possible virus via httpd server

Re: [users@httpd] Possible virus via httpd server

RE: [users@httpd] Possible virus via httpd server

RE: [users@httpd] Possible virus via httpd server

RE: [users@httpd] Possible virus via httpd server

RE: [users@httpd] Possible virus via httpd server

Re: [users@httpd] Possible virus via httpd server

13 matches

Site Navigation

Mail list logo

Footer information