|
Security Incidents
mailing list archives
Re: Script I haven't seen? Or human directed?
From: "Scott C. Kennedy" <sck () infosyscorp com>
Date: Thu, 07 Nov 2002 10:07:14 -0800
It's a perl script called IIS_PROMISC by Alexandre de Abreu availabel
at http://online.securityfocus.com/tools/2060
And mentioned in http://lists.insecure.org/incidents/2001/Jul/0014.html
Scott
Keith T. Morgan wrote:
We recieved several "code red" style probes for cmd.exe and the like. The probes used the typical method of searching
for all default IIS +execute permissioned directories. However, some of the details of the GET requests, I haven't seen before
today. Here's an example GET.
http://216.12.96.114/scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSocorro
I haven't seen requests for a boo.bat. I also haven't seen this particular echo command that was common to all of the requests
for cmd.exe. Every one of them attempted to echo "MinhaNossaSenhoraDoPerpetuoSocorro"
Some new script? Has anyone else seen these?
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
--
Scott C. Kennedy
Lead Security Architect/ Director of Security
Infosys Corporation
Work: (877) 772-2347
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
| 
Intro
