[NSLUG] [OT] What's WebGuard.Cab?

Mike Spencer mspencer at tallships.ca
Mon Jan 23 04:41:41 AST 2006


I keep getting these port 80 probes -- several per hour -- from a
couple of Eastlink machines.  If, in turn, I probe to see what those
hosts are offering on port 80, I get some HTML with an
<OBJECT...WebGuard.cab... tag and some javascript.

After grovelling through Google, I'm no wiser.  My curiosity is
aroused: If this is a defensive security thing, why are these machines
probing me?  If it's some kind of malware, how come I can't google
anything that reports it as such?

For anyone with a frivolous inclination to respond to this OT query,
a specimen request and response is included infra.

Thanks,
- Mike

--- Begin specimen ---

bogus% wget -S -O - http://24.222.85.219/

--04:29:01--  http://24.222.85.219/
           => `-'
Connecting to 24.222.85.219:80... connected.
HTTP request sent, awaiting response... 
 1 HTTP/1.1 200 OK
 2 Server: Microsoft-IIS/5.1
 3 Connection: keep-alive
 4 Content-Location: http://24.222.85.219/index.html
 5 Date: Mon, 23 Jan 2006 08:31:19 GMT
 6 Content-Type: text/html
 7 Accept-Ranges: bytes
 8 Last-Modified: Tue, 17 Jan 2006 17:42:54 GMT
 9 ETag: "1cb1d7718d1bc61:c7b"
10 Content-Length: 956

<HTML>
<HEAD>
<TITLE> WebGuard </TITLE>
</HEAD>
<BODY>
<OBJECT ID="BaseRunner"
CLASSID="CLSID:E1E0FB30-7830-4dc2-8443-0EAB9695A421"
WIDTH=0 HEIGHT=0 CODEBASE="WebGuard.cab#version=1,0,0,9">
</OBJECT>
Loading...
<SCRIPT LANGUAGE="JavaScript">
<!--
		BaseRunner.AddSite("local", location.hostname);
		BaseRunner.SetCamera(1, 1);
		BaseRunner.SetCamera(2, 2);
		BaseRunner.SetCamera(3, 3);
		BaseRunner.SetCamera(4, 4);
		BaseRunner.SetCamera(5, 5);
		BaseRunner.SetCamera(6, 6);
		BaseRunner.SetCamera(7, 7);
		BaseRunner.SetCamera(8, 8);
		BaseRunner.SetCamera(9, 9);
		BaseRunner.SetCamera(10, 10);
		BaseRunner.SetCamera(11, 11);
		BaseRunner.SetCamera(12, 12);
		BaseRunner.SetCamera(13, 13);
		BaseRunner.SetCamera(14, 14);
		BaseRunner.SetCamera(15, 15);
		BaseRunner.SetCamera(16, 16);
		BaseRunner.SetScreenMode(16);
    BaseRunner.RequestLogin();
	BaseRunner.SetTitle("VLT # 2");
	BaseRunner.Run();
	-->
</SCRIPT>

</BODY>
</HTML>

--- End specimen ---

-- 
Michael Spencer                  Nova Scotia, Canada       .~. 
                                                           /V\ 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^



!DSPAM:43d495b5276811691170143!




More information about the nSLUG mailing list