FunWebProducts Spyware Bitches

**prettydumb** · 09-01-2007 07:19 PM

I have an MS-DOS executing on one of my domains every 5 minutes which produces about 1000 kb of a file as shown below from one report:

[31/Aug/2007:22:28:00 -0500] "POST /cgi-bin/arp/arp-formcapture.pl HTTP/1.1" 200 335 "http//www.xxx.com/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; H010818; FunWebProducts)"

Note: I altered url so it wouldnt be a hyperlink here.

I have found that "FunWebProducts" is a spyware program.

"/cgi-bin/arp3/arp3-formcapture.pl" is an old autoresponder program from autoresponse plus i purchasec years back. The autoresponder program is pulling from a different domain which I own, but referring to another domain http//xxx.com/ as shown above).

I do not have a problem terminating either the domain name or the autoresponse software.

My question is, by analyzing the info above, which should I do? delete the auto program, or delte the xxx domain name altogether?

Whats my name?

**nyjimbo** · 09-01-2007 07:25 PM

Are you saying you have an exploitable perl program on your system that anyone can use to create spam and you want to know if you should delete it so it stops spamming thousands of other people around the world ???.

Hmmm.... what to do ?????

**prettydumb** · 09-01-2007 07:34 PM

It appears to only be sending locally.

I found this site defining the error to the "t", but removal described for a browser.

liamdelahunty.com/tips/fun_web_products.php

scanspyware.net/info/FunWebProducts.htm

you have been an awesome help to me with every question I've had.

Thanks

**prettydumb** · 09-01-2007 07:36 PM

I see you were making fun of me.

Didn't you read my name?

How to do?

**nyjimbo** · 09-01-2007 07:45 PM

Originally Posted by prettydumb

I see you were making fun of me.

Didn't you read my name?

How to do?

You are making fun of yourself, I would really recommend less self-deprecation and instead try to see if you can fix these little things yourself. I mean you know that the script is bad, you know you should not have it open for others to use it and yet you dont know what to do?. This isnt hard, get rid of the script or figure out what you can do to hide it or get an update.

**prettydumb** · 09-01-2007 07:52 PM

I thought you knew my name.

I don't want to argue. I want to learn.

Everyone started somewhere.

Anyone have instructions or where to find?

**nyjimbo** · 09-01-2007 07:57 PM

Originally Posted by prettydumb

I thought you knew my name.

I don't want to argue. I want to learn.

Everyone started somewhere.

Anyone have instructions or where to find?

If all you want to do is kill that one perl program just go to the account that it is installed in. If you dont remember where and cant dig deeper into the logs then do a

find /home -name "arp-formcapture.pl" -print

which will show the exact location(s) of the file. What you do with it at that point is up to you.

(ps - get a book on unix/linux, especially learn about grep,awk,sed,find, locate, which,cat, head, tail and some little editor like vi, the rest will come naturally over time.)

**Infopro** · 09-01-2007 07:59 PM

Google is your friend. Learn to use it and you'll be called "lessdumb" in no time.

http://www.castlecops.com/a6170-This...nwebpages.html

http://www.google.com/search?hl=en&q=formcapture.pl+

**nyjimbo** · 09-01-2007 08:04 PM

Originally Posted by Infopro

Google is your friend. Learn to use it and you'll be called "lessdumb" in no time.

http://www.castlecops.com/a6170-This...nwebpages.html

http://www.google.com/search?hl=en&q=formcapture.pl+

I might be misreading his post but I think he has a exploitable perl program and not the actual funwebpages thingy. I think the attacker is the funwebpages infected pc, the perl program is him.

**prettydumb** · 09-01-2007 08:40 PM

Just so you understand where I am coming from, I did not jump on here with this question without some investigation.

From this path /cgi-bin/arp/arp-formcapture.pl,

I had renamed the folders to /cgi-bin/arp-deadman/arp-formcapture-deadman.pl

I wait 5 minutes and the dos command is back.

I do not understand what you are attempting to show me with the urls http://www.castlecops.com/a6170-This...nwebpages.html
http://www.google.com/search?hl=en&q=formcapture.pl+

I have arp manuals and the problem lies on my server, not on my personal computer.

What I am missing?

How would this url apply? http://www.castlecops.com/a6170-This...nwebpages.html

Can you clarify?

It appears you did not read my post reply below when I said "It appears to only be sending locally. I found this site defining the error to the "t", but removal described for a browser." liamdelahunty.com/tips/fun_web_products.php

You especially missed mu bragging about how helpful you are. However, I think you're back!

The curious part to me about this is why is the arp file referencing the domain xxx in the error?

Here it is again:

[31/Aug/2007:22:28:00 -0500] "POST /cgi-bin/arp/arp-formcapture.pl HTTP/1.1" 200 335 "http//www.xxx.com/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; H010818; FunWebProducts)"

Seems to play a role, but am unsure how the dos command keeps coming back even after renaming unless the files are scattered about the server. If this is the conclusion, I need to know instructions on removing from server, much like described for browser removal.

**prettydumb** · 09-01-2007 08:43 PM

Originally Posted by nyjimbo

I might be misreading his post but I think he has a exploitable perl program and not the actual funwebpages thingy. I think the attacker is the funwebpages infected pc, the perl program is him.

Who are you talking to?

Good lord! Is this a show for you?

**nyjimbo** · 09-01-2007 08:56 PM

Originally Posted by prettydumb

Who are you talking to?

Good lord! Is this a show for you?

I am trying to help you but its not working. I think your first post on this thread is what is confusing and its probably best if someone else try to decipher it.

**prettydumb** · 09-01-2007 09:14 PM

"he's" trying to belittle a young person who "he" feels is not as smart as "us".

what do yall think?

i guess "he" only feels as smart as the number of post "he" has.

what does everyone else think?

If he could learn to read with jumping to conclusions and belittling people, we would sooner see who is less dumber.

--------------

Do me favor and stay away from my questions unless you are really here to help.

I'm not here to be a part of your show!

**nyjimbo** · 09-01-2007 09:21 PM

Originally Posted by prettydumb

"he's" trying to belittle a young person who "he" feels is not as smart as "us".

what do yall think?

i guess "he" only feels as smart as the number of post "he" has.

what does everyone else think?

If he could learn to read with jumping to conclusions and belittling people, we would sooner see who is less dumber.

--------------

Do me favor and stay away from my questions unless you are really here to help.

I'm not here to be a part of your show!

Go back and read my replies, I was giving you actual help you could use. You got upset when I replied to another person about confusion over what you had, the windows binary or the perl program. If you want people to help you stop acting dumb.

In this same thread you say "you have been an awesome help to me with every question I've had.", so I dont know why you changed your mind.

I will make a mental note to not reply to your posts from now on, so you can stop worrying.

**prettydumb** · 09-01-2007 09:26 PM

Originally Posted by nyjimbo

Are you saying you have an exploitable perl program on your system that anyone can use to create spam and you want to know if you should delete it so it stops spamming thousands of other people around the world ???.

Hmmm.... what to do ?????

here's how you help?

Thanks

LinkBack

Thread Tools

FunWebProducts Spyware Bitches

Spyware Scanner