[Snort-users] hmm...nimda RICHED20.DLL alarms

fluid fluid at ...4580...
Mon Jan 21 21:56:02 EST 2002


i am getting some of these every day from work (seemingly when users are running Office applications). It is the same set of machines every day...always attacking the same destination server. scans of the server are picking up nothing with any antivirus package i find, and the same is true of the workstations.

in my mind, the rule regarding this activity should never alert under normal circumstances...it is always the same 5 or 6 machines sending out to the same destination ip. i have looked in every user directory that is pointed out by the snort packet logs, and i do not see a riched20.dll file hidden there at all...do you guys think the clients are infected, or the server, or am i seeing some fluke false alarm?

i desperately need help on this one, i have done everything i can think of to do. the server is running windows nt 4.0, and the clients are mainly running 9x. 

thanks.

--fluid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020121/41eb2b1e/attachment.html>


More information about the Snort-users mailing list