[Snort-users] Httpodbc.dll

Hicks, John JHicks at ...5857...
Tue Dec 24 07:39:03 EST 2002

This usually fits in with the CMD.exe Access attempts of most web-worms, but
this specific one, AFAIK is Nimbda.E.

John Hicks

-----Original Message-----
From: Robert Reid [mailto:rreid at ...7835...]
Sent: Monday, December 23, 2002 1:07 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Httpodbc.dll
Importance: High


I have been seeing a lot of requests for "httpodbc.dll" in my IIS server
logs. From what I can gather it's a nimda varient that uses the file name
httpodbc.dll for the trojan/listener it drops. Im not concerned with the
attack itself, but my snort boxes are not picking it up. Here is a snippet
from my logs:

2002-12-22 04:32:16 63.147.xxx.xxx - 192.168.xxx.xxx 80 GET
0cool.dll%20c:\httpodbc.dll 200 0 0 137 47 HTTP/1.0 - - -

Does a snort signature exist for this type of attack?

Thanks a million,


This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list