While you may have identified something that is a Windows payload... I found another 'fex' program today that you should probably make sure is not on your machine.
http://www.sfr-fresh.com/unix/privat/ fex-20080807.tar.gz " F*EX (File EXchange) is a Web based service to send very big files from one person to another. After the upload the recipient gets a notification email with the download URL." I downloaded it and scanned it, including reading the documentation from inside it, and it appears to be quite the little collection of perl CGI commands, which would run on Linux, not just for Windows. This "fex" and it's built-in stream-exchange ("s" followed by "ex") command would not be something I would want on my server - they allow someone to use your web server as a bi-directional HTTP streaming proxy to exchange large files between two users. I have not seen the webapps you have, so it's possible the similarity is only in name (my assumption in both cases 'fex' stands for "file exchange"), but I would make sure the contents of this "fex" tar file were not running on my machine. Also, I will point out that this "f*ex" and "s*ex" utilities are actually open source, and contain the authors name, etc. They could actually have a valid use, and just by their existence probably shouldn't in any way implicate the 'fex' author in whatever happened to get it installed on your machine. On 8/20/2008, "Ann Richmond" <[email protected]> wrote: >Everyone, >Thank you for all the great ideas. We are starting to look at this. We >pulled one of these down to a windows machine and AVG immediately >detected a windows virus. > >So we are thinking some vulnerability of tomcat allows it to be >deployed( as you suggested), but it looks like the payload is a windows >virus.
