We recieved several "code red" style probes for cmd.exe and the like. The probes used the typical method of searching for all default IIS +execute permissioned directories. However, some of the details of the GET requests, I haven't seen before today. Here's an example GET. http://216.12.96.114/scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSocorro I haven't seen requests for a boo.bat. I also haven't seen this particular echo command that was common to all of the requests for cmd.exe. Every one of them attempted to echo "MinhaNossaSenhoraDoPerpetuoSocorro" Some new script? Has anyone else seen these? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 09:59:56 PST