rc5.cgi / What is THIS????

[jinsonxu]

Guys, anyone ever heard of that file? What's it supposed to do> Anything related to DC?

Cause since my reformat (which was caused by the discovery of a trojan residing on my port 5000) i've pulled my firewall settings to block every port except specified ones.

And since then, i've been getting endless queries from this particular IP

209.180.88.32

It keeps requesting for a file called rc5.cgi that is supposed to be in my webserver's cgi-bin directory. I didn't take any notice of that directory earlier. But now after the reformat, there's no such file in there and so of course i keep giving him 501 errors. Received about 4000 probse from him already.

Anyone have any idea what that file is supposed to do? Why would anyone want access to that file?

After about 2 days of endless HTTP prot probes by him, (i blocked the IP), i started receiving requests for that file from somewhere called viracon.com.
Received about 1200 requests from that place alone.

About yesterday onwards, i started receiving requests from other places for that particular file. Only briefly though, eg. 1 or 2 requests from scattered IPs.

So, anyone have any ideas?

 

[networkman]

My reccomendation is to email your info/message to: abuse@distributed.net

This may or may not be something that they are aware of, and it also may be of value to them in hunting down the source of a possible problem.

You can find additional info at:

http://www.distributed.net/trojans.html.en

I've already forwarded your message to dnet, but you should also send it in case they have additional questions.

 

[ViRGE]

Odd, that seems like Bphantom's BB checker, but the IP doesn't match.😱 Check with Bphantom to make sure that isn't his first, before doing anythign rash.

 

[Moose]

rc5.cgi is a personal proxy thing. The client if trying to connect on port 80 tries to connect to a file called rc5.cgi at say http://your.host.com:80/cgi-bin/rc5.cgi. If a personal proxy is present on port 80 it will connect to the personal proxy. If a personal proxy is not present on port 80, but is on the box it is possible to write a cgi that will redirect that information to the correct port allowing you to still have a personal proxy and webserver both listening on port 80. If no personal proxy is on the box at all and no rc5.cgi, the client just keeps requesting communication if its not set to fall over to a nother proxy server.

So the question to you is did you ever have a personal proxy on that box that you allowed others or used yourself that might be trying to connect on port 80?

Hope that explains what that file is supposed to be and supposed to do. If you don't want that user requesting anymore just block his IP in your firewall (if you can so that with your firewall software)

Moose

 

[Joe O]

Moose,
Thanks for the information. Can we get a copy of a cgi that

<< that will redirect that information to the correct port allowing you to still have a personal proxy and webserver both listening on port 80 >>

? This would be very useful for our Round Robin!

 

[Moose]

Take a look at http://www.distributed.net/download/addon.html

look for rc5.cgi

in the perl script change

my $targetproxyaddr = 'nodezero.distributed.net';
my $targetproxyport = 2064;

to the proxyaddr and proxyport of your proxy

Read the script for more information.

moose

 

[jinsonxu]

Thanks for the info, Moose.

My proxy is currently only listening on 2064. 1 only have 1 IP so it's quite impossible for me to allow it 80 at the same time. Would be interested in that script though.