Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Script I haven't seen? Or human directed?

From: "Scott C. Kennedy" <sck () infosyscorp com>
Date: Thu, 07 Nov 2002 10:07:14 -0800
It's a perl script called IIS_PROMISC by Alexandre de Abreu availabel at http://online.securityfocus.com/tools/2060 

And mentioned in http://lists.insecure.org/incidents/2001/Jul/0014.html

Scott

Keith T. Morgan wrote:


We recieved several "code red" style probes for cmd.exe and the like.  The probes used the typical method of searching for all 
default IIS +execute permissioned directories.  However, some of the details of the GET requests, I haven't seen before today.  
Here's an example GET.

http://216.12.96.114/scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSocorro

I haven't seen requests for a boo.bat.  I also haven't seen this particular echo command that was common to all of the requests 
for cmd.exe.  Every one of them attempted to echo "MinhaNossaSenhoraDoPerpetuoSocorro"

Some new script?  Has anyone else seen these?


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com 



--
Scott C. Kennedy
Lead Security Architect/ Director of Security
Infosys Corporation
Work: (877) 772-2347
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: