Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: ApacheBench virus ? |
|
| Author |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
 Posted: Tue 20 Aug '13 16:53 Post subject: ApacheBench virus ? |
 |
|
Few days ago one of the services running on Win2k8 R2 server has been blocked - i could not restart it because other process had blocked file used by that service. Blocking process was ILDIbBUhvXAJrVO.exe which runs file with the same name located in c:\windows\temp.
When process ILDIbBUhvXAJrVO.exe was killed from task manager i could finally restart the service (which is JBoss application server service, Apache fronted).
I've downloaded this file on my PC, but once download is finished Norton Antivirus on my PC reacts by raising virus alarm, and file has been immediately deleted.
I've checked suspicious file on non-NAV protected machine and the file Details shows :
File Description : ApacheBench command line utility
File version : 2.2.14.0
Product Name : Apache HTTP Server
Product version : 2.2.14
Original filename : ab.exe
It's strange, as Apache Web server is installed on the "infected" machine, but it's 2.4.4-x64, not 2.2.14 (actually 2.2.x has never been installed there).
I've made some reasearch, but i haven't found any ab.exe vulnerabilities for 2.2.14 Apache version.
Has anyone met such case ? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Tue 20 Aug '13 20:18 Post subject: |
|
|
I can compile binaries to say anything in the details, whether the info is correct or not is another story. Your last statement makes me believe this is the case since 2.2 has never been on the machine.
I doubt the file was ab.exe. But you can always run the ab.exe you do have through www.virustotal.com. |
|
| Back to top |
|
zarat
Joined: 12 Sep 2018
Posts: 1
Location: Vienna
|
| Posted: Wed 12 Sep '18 17:29 Post subject: Meterpreter Trojaner |
|
|
Auch wenn der Thread schon alt ist, ist das Thema noch aktuell! Also falls jemand das selbe Problem hat - der Meterpreter, wenn mittels reverse_https verbunden tarnt sich unter diesem Namen. Das bedeutet, jemand ist bereits auf dem System und hat einen Server laufen der nach Hause telefoniert. Ich arbeite viel mit dem Metasploit Framework, das ist ganz sicher ein Meterpreter reverse_https Trojaner!
https://blog.rapid7.com/2011/06/29/meterpreter-httphttps-communication/
Mod note ( translation)
Even though this thread is rather old, it is still relevant. If someone has the same problem - the Meterpreter (from Metasploit), if connected via reverse_https, is hiding under the same name. That means that it is already on the system and calls home. I work a lot with the Metasploit Framework, and I'm sure it hs the Meterpreter reverse_https Trojan.
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 13 Sep '18 16:03 Post subject: Re: Meterpreter Trojaner |
|
|
| zarat wrote: | das ist ganz sicher ein Meterpreter reverse_https Trojaner!
Mod note ( translation)
I'm sure it hs the Meterpreter reverse_https Trojan.
|
I disagree. We often had that false positive with some virus scanner with the binary compiled from source. In some cases it might bem but ab.exe is generell is not evil.
And please post english in this forum  |
|
| Back to top |
|
|
|
|
|
|
