[Snort-users] Httpodbc.dll

Gray . Brendan bgray2 at ...3738...
Tue Dec 24 07:03:02 EST 2002

I'm seeing a fair amount of this too, it turns up in mini-swarms.

It shows up on my snort as "WEB-ATTACKS tftp command attempt".  It looks
like they're trying a nimda like buffer overflow, where they invoke your
tftp client (included with windows?) and use it to connect to a tftp server
(the bad guys) and then download a bad httpodbc.dll.  


-----Original Message-----
From: Robert Reid [mailto:rreid at ...7835...]
Sent: Monday, December 23, 2002 1:07 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Httpodbc.dll
Importance: High


I have been seeing a lot of requests for "httpodbc.dll" in my IIS server
logs. From what I can gather it's a nimda varient that uses the file name
httpodbc.dll for the trojan/listener it drops. Im not concerned with the
attack itself, but my snort boxes are not picking it up. Here is a snippet
from my logs:

2002-12-22 04:32:16 63.147.xxx.xxx - 192.168.xxx.xxx 80 GET
0cool.dll%20c:\httpodbc.dll 200 0 0 137 47 HTTP/1.0 - - -

Does a snort signature exist for this type of attack?

Thanks a million,


More information about the Snort-users mailing list