Keith T. Morgan wrote Thursday, November 07, 2002 9:18 AM > However, some of the details of the GET requests, I haven't seen before today. Here's an example GET. > http://216.12.96.114/scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C ..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSo corro > I haven't seen requests for a boo.bat. I also haven't seen this particular echo command that was common to all of the requests for cmd.exe. Every one of them attempted to echo "MinhaNossaSenhoraDoPerpetuoSocorro" Old script or modified version - http://www.securiteam.com/tools/5FP0N0K4AY.html Boo.bat is a directory name in this request. The request traverses downward to (nonexistent) boo.bat then up to the root and back down to system32 to execute the cmd echo. The echo is Portuguese for "Our Lady of Perpetual Aid". - Jim ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 11:30:00 PST