Nethief trojan http requests.

Hi,

A few days ago my webserver started to catch dozens of the below pasted requests per minute :

XXX.XXX.XXX.XXX - - [11/Nov/2002:11:44:08 +0100] "GET
/dj/pic/Nethief_Connect.jpg HTTP/1.0" 302 216 "-" "IExplorer"

XXX.XXX.XXX.XXX - - [11/Nov/2002:11:44:08 +0100] "GET
/dj/pic/Nethief_Notify.jpg HTTP/1.1" 302 228 "-" "IExplorer"

The .jpg files doesn't exist in the user directory. I've pasted the name of the file in google and found that it probably belongs to a virus/trojan called Nethief. But I haven't found why my webserver is getting those requests.

What I've found is that the trojan copies itself with the name IEXPLORER.EXE (the real one is IEXPLORE.EXE), and seems to be using it as the USER-AGENT if you look to the webserver log files.

The trojan is (apparently) only for Win32, so that would mean I'm not the infected end, because we don't use any single Win32 SO. Then why the hell we're getting those requests ?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Has anyone had the same problem ?

Thanks in advance,
Marc. Received on Tue Nov 12 11:55:06 2002