Snort mailing list archives
hmm...nimda RICHED20.DLL alarms
From: "fluid" <fluid () sc rr com>
Date: Tue, 22 Jan 2002 00:54:52 -0500
i am getting some of these every day from work (seemingly when users are running Office applications). It is the same set of machines every day...always attacking the same destination server. scans of the server are picking up nothing with any antivirus package i find, and the same is true of the workstations. in my mind, the rule regarding this activity should never alert under normal circumstances...it is always the same 5 or 6 machines sending out to the same destination ip. i have looked in every user directory that is pointed out by the snort packet logs, and i do not see a riched20.dll file hidden there at all...do you guys think the clients are infected, or the server, or am i seeing some fluke false alarm? i desperately need help on this one, i have done everything i can think of to do. the server is running windows nt 4.0, and the clients are mainly running 9x. thanks. --fluid
Current thread:
- hmm...nimda RICHED20.DLL alarms fluid (Jan 21)
- Re: hmm...nimda RICHED20.DLL alarms Roberto Suarez Soto (Jan 22)
- Re: hmm...nimda RICHED20.DLL alarms Guillaume (Jan 22)
- Re: hmm...nimda RICHED20.DLL alarms Rich Adamson (Jan 22)
- <Possible follow-ups>
- Re: hmm...nimda RICHED20.DLL alarms Ryan Drogo (Jan 22)
- RE: Re: hmm...nimda RICHED20.DLL alarms Ronneil Camara (Jan 22)
- How to unsubscribe? Densin Roy. (Jan 24)
- Re: How to unsubscribe? Edwin Eefting (Jan 24)
- Re: How to unsubscribe? Densin Roy. (Jan 24)
- Re: How to unsubscribe? Matt Kettler (Jan 24)
- How to unsubscribe? Densin Roy. (Jan 24)
- Re: hmm...nimda RICHED20.DLL alarms Roberto Suarez Soto (Jan 22)