Nimda: W32.nimda.a.mm

2002 May 26
by MeanDean

“Awake, and rise to my defense! Contend for me, my God and Lord” Psalm 35:23

Looks like someone from 193.227.168.5 is trying to infect the server that hosts this site with the dreaded Nimda: W32.nimda.a.mm worm.

How do I know this? Well, one of the advantages of getting a real host is having access to real logs … like this:

  • 193.227.168.5 - - [25/May/2002:07:36:28 -0700] “GET / HTTP/1.1″ 200 16647
    “http://google.yahoo.com/bin/query?p=article+of+new+church+design&y=y&e=86980660
    &f=0%3A2766678%3A2718086%3A254845%3A259232%3A2701400%3A259386%3A259455%3A86980660
    &r=Society+and+Culture%02Religion+and+Spirituality%02Faiths+and+Practices%02
    Christianity%02Arts%02Architecture&hc=0&hs=0″ “Mozilla/4.0(compatible; MSIE 6.0;

    Windows NT 5.1; Q312461)”

  • 193.227.168.5 - - [25/May/2002:07:36:29 -0700] “GET /main.css HTTP/1.1″ 200 2634 “http://healyourchurchwebsite.com/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)”
  • 193.227.168.5 - - [25/May/2002:07:36:32 -0700] “GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.1″ 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)”
  • 193.227.168.5 - - [25/May/2002:07:36:32 -0700] “GET /images/search.gif HTTP/1.1″ 200 351 “http://healyourchurchwebsite.com/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)”
  • 193.227.168.5 - - [25/May/2002:07:36:33 -0700] “GET /powered.gif HTTP/1.1″ 200 1305 “http://healyourchurchwebsite.com/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)”
  • 193.227.168.5 - - [25/May/2002:07:36:33 -0700] “GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.1″ 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)”

And because I’ve been hacked before, I now have some programs in place that wake me up on the middle of the night and tell me when such visits occur.

I could go on and on about how this particular worm works, but intead, I refer you to an excellent article by TruSecure, a company that provides solutions, as well as up-to-date news, for and about such problems.

Here are a couple of other interesting visits from 24.168.101.98 these are much closer to home … here’s just one set of prints we lifted:

  • 24.168.101.98 - - [23/May/2002:07:21:24 -0700] “GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.1″ 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Q312461)”
  • 24.168.101.98 - - [23/May/2002:07:21:24 -0700] “GET / HTTP/1.1″ 200 11166 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Q312461)”
  • 24.168.101.98 - - [23/May/2002:07:21:24 -0700] “GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.1″ 404 - “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Q312461)”
  • 24.168.101.98 - - [23/May/2002:07:21:24 -0700] “GET /styles-site.css HTTP/1.1″ 200 4759 “http://healyourchurchwebsite.com/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Q312461)”
  • 24.168.101.98 - - [23/May/2002:07:21:24 -0700] “GET /images/search.gif HTTP/1.1″ 200 351 “http://healyourchurchwebsite.com/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Q312461)”
  • 24.168.101.98 - - [23/May/2002:07:21:24 -0700] “GET /powered.gif HTTP/1.1″ 200 1305 “http://healyourchurchwebsite.com/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Q312461)”

categorized under → About HYCW

1 Comment leave one →
2002 November 18
Eric permalink

I’ve seen this in my logs as well. The two requests for cltreq.asp and owssvr.dll come interspersed with normal user page requests unlike nimda which comes from servers and is a stream of all nimda requests with no normal human page requests.

It may be something to do with the user having configured IE to automatically check it the site has a forum. Is this true or not?

Leave A Comment

You must be logged in to post a comment.