etc/rules/log-entries/worms

   1 86 200.255.5.155 TCP_MISS/404 1495 GET http://pawlacz.com/nul.php - DIRECT/193.84.182.19 text/html
   2 588 200.255.5.155 TCP_MISS/404 1495 GET http://pawlacz.com/nul.php - DIRECT/193.84.182.19 text/html
   3 9 200.255.5.155 TCP_NEGATIVE_HIT/404 726 GET http://arborfolia.com/nul.php - NONE/- text/html
   4 326 200.255.5.155 TCP_MISS/404 717 GET http://arborfolia.com/nul.php - DIRECT/66.49.208.142 text/html
   5 1001 200.255.5.155 TCP_MISS/404 4439 GET http://appaloosa.no/nul.php - DIRECT/85.19.133.103 text/html
   6 966 200.255.5.155 TCP_MISS/404 4439 GET http://appaloosa.no/nul.php - DIRECT/85.19.133.103 text/html
   7 543 200.255.5.155 TCP_MISS/404 518 GET http://1point2.iae.nl/nul.php - DIRECT/212.61.24.92 text/html
   8 545 200.255.5.155 TCP_MISS/404 518 GET http://1point2.iae.nl/nul.php - DIRECT/212.61.24.92 text/html
   9 504 200.255.5.155 TCP_MISS/404 443 GET http://ujscie.one.pl/nul.php - DIRECT/82.96.66.63 text/html
  10
  11
  12 OSSEC HIDS Notification.
  13 2006 Jun 20 08:09:32
  14
  15 Received From: (wrouter) 200.255.5.3->/usr/local/squid/var/logs/access.log
  16 Rule: 5055 fired (level 10) -> "Multiple attempts to access a non-existent file.'"
  17 Portion of the log(s):
  18
  19 576 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html
  20 543 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html
  21 955 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
  22 934 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
  23 328 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
  24 329 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
  25 546 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
  26 512 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
  27 2085 200.255.5.155 TCP_MISS/404 502 GET http://www.jonogueira.com/nul.php - DIRECT/69.0.160.233 text/html
  28
  29
  30
  31  --END OF NOTIFICATION
  32
  33
  34
  35  OSSEC HIDS Notification.
  36  2006 Jun 20 08:09:33
  37
  38  Received From: (wrouter) 200.255.5.3->/usr/local/squid/var/logs/access.log
  39  Rule: 5055 fired (level 10) -> "Multiple attempts to access a non-existent file.'"
  40  Portion of the log(s):
  41
  42  1004 200.255.5.155 TCP_MISS/404 1812 GET http://avenue.ee/nul.php - DIRECT/195.5.116.3 text/html
  43  784 200.255.5.155 TCP_MISS/404 1812 GET http://avenue.ee/nul.php - DIRECT/195.5.116.3 text/html
  44  543 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html
  45  955 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
  46  934 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html
  47  328 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
  48  329 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html
  49  546 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
  50  512 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html
  51
  52 http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=223894
  53
  54 http://www.trendmicro.co.jp/vinfo/virusencyclo/default5.asp?VName=TROJ_BAGLE.EY&VSect=T