|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Scott C. Kennedy (sck_at_infosyscorp.com)
Date: Thu Nov 07 2002 - 12:07:14 CST
It's a perl script called IIS_PROMISC by Alexandre de Abreu availabel
at http://online.securityfocus.com/tools/2060
And mentioned in http://lists.insecure.org/incidents/2001/Jul/0014.html
Scott
Keith T. Morgan wrote:
>We recieved several "code red" style probes for cmd.exe and the like. The probes used the typical method of searching for all default IIS +execute permissioned directories. However, some of the details of the GET requests, I haven't seen before today. Here's an example GET.
>
>http://216.12.96.114/scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSocorro
>
>I haven't seen requests for a boo.bat. I also haven't seen this particular echo command that was common to all of the requests for cmd.exe. Every one of them attempted to echo "MinhaNossaSenhoraDoPerpetuoSocorro"
>
>Some new script? Has anyone else seen these?
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>
>
>
-- Scott C. Kennedy Lead Security Architect/ Director of Security Infosys Corporation Work: (877) 772-2347 PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]