Re: ASP Files

[H D Moore <hdm () digitaloffense net>]

Although not ASP specific, you might want to check out the 
"DDI_IIS_Compromised.nasl" plugin in the Nessus scanner distribution. It 
checks for most of the things left in the web root by your casual warez 
cracker. I will be submitting a slightly improved version sometime this 
week, but the "official" version can be found at:

(possibly wrapped)

http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/DDI_IIS_Compromised.nasl

If you simply want to crawl an entire site and scan every single ASP 
script that's linked (besides a few common ones, kids really don't name 
their backdoors anything consistent), try looking for things like 
type="FILE" (for upload scripts), or common words like "execute" and 
"command".

-HD

On Tuesday 10 December 2002 09:01 am, Ian Lyte wrote:
> Hi All,
>
>     I'm looking for some sample .asp / .php files (preferably some
> captured from honeypots if at all possible) that are currently being
> uploaded on compromised systems.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/