Security Incidents mailing list archives

RE: Script I haven't seen? Or human directed?

From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Thu, 7 Nov 2002 13:37:38 -0500

Keith T. Morgan wrote Thursday, November 07, 2002 9:18 AM

However, some of the details of the GET requests, I haven't seen before

today.  Here's an example GET.

http://216.12.96.114/scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C
..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSo
corro

I haven't seen requests for a boo.bat.  I also haven't seen this

particular echo command that was common to all of the requests for cmd.exe.
Every one of them attempted to echo "MinhaNossaSenhoraDoPerpetuoSocorro"

Old script or modified version -
http://www.securiteam.com/tools/5FP0N0K4AY.html

Boo.bat is a directory name in this request. The request traverses downward
to (nonexistent) boo.bat then up to the root and back down to system32 to
execute the cmd echo.

The echo is Portuguese for "Our Lady of Perpetual Aid".

- Jim



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Script I haven't seen? Or human directed? Keith T. Morgan (Nov 07)
- RE: Script I haven't seen? Or human directed? James C Slora Jr (Nov 07)
- Re: Script I haven't seen? Or human directed? Scott C. Kennedy (Nov 07)
- <Possible follow-ups>
- Re: Script I haven't seen? Or human directed? Stephen Friedl (Nov 07)