I'm getting lots of 404's on a sjdif.exe

Forum Moderators: phranque

Message Too Old, No Replies

I'm getting lots of 404's on a sjdif.exe

Would that be cause for alarm...?

2oddSox

12:35 am on Jul 4, 2004 (gmt 0)

As the title explains, I've been getting quite a number of 404's recently on one of my sites on a file called sjdif.exe. I haven't seen similar entries on my other sites but this one in question has an audience solely drawn from the I.T. industry.

With the limited amount of info I've been able to find so far (I've only just discovered this and it's very early in the morning here now so I'm going to tackle this after some ZZZzzz's) it appears to be a trojan of some kind but the info suggests that it applies to 'infected sites'. That's the bit that has me worried.

Has anyone here heard of this or had this before and is there anything I should be doing about it? I'm assuming because it's a 404 then the file doesn't exist on my site, but obviously I want to be certain. I've fired off a message to my host, but based on past experiences with their technical staff I won't be putting to much faith in their response.

Many thanks,

2odd...

encyclo

1:12 am on Jul 4, 2004 (gmt 0)

The fact that the server's giving a 404 is a good sign - as you say, that means it doesn't exist. sjdif.exe is something to do with the Browser Helper Object trojan flying around last week. First up - check your pages for any extra Javascript being served (especially if you're running IIS). Also if you're running IIS, check that you don't have a global footer. If all is well, then you can start to relax a bit.

Here's some more info:

Troj/Ovedil-B [sophos.com] (from Sophos).
Another report [cleverhack.com]
NTBugtraq [archives.neohapsis.com]

2oddSox

2:12 pm on Jul 4, 2004 (gmt 0)

Thanks for the response encyclo. Looking a bit more into this it would appear that any request on this site for a .exe file has only resulted in 404's (in other words, no successful deliveries of that type of file) so it would look like the problem might be that a number of visitors to my site may already be infected with a component of this trojan. That in itself is scary because users of this site should know better.

Again, thanks for your help.

BobG

5:55 pm on Jul 8, 2004 (gmt 0)

I had a similar concern a few days ago but now feel satisfied that I know what was going on.

I found the following entry when I reviewed my website log on July 2:

7/1/2004 21:54:12 - - GET /sjdif.exe 80 - 66.194.6.83 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312463) - - 404 1849 124 312

I sent a messages to Websense.com because the 66.194.6.83 client IP appeared to belong to them

Yesterday, I received replies from 2 different security managers at Websense.com confirming the visit was from them. They explained they were checking all publicly available websites for the presence of malicious code, in this case, sjdif.exe