It's a perl script called IIS_PROMISC by Alexandre de Abreu availabel at http://online.securityfocus.com/tools/2060 And mentioned in http://lists.insecure.org/incidents/2001/Jul/0014.html Scott Keith T. Morgan wrote: >We recieved several "code red" style probes for cmd.exe and the like. The probes used the typical method of searching for all default IIS +execute permissioned directories. However, some of the details of the GET requests, I haven't seen before today. Here's an example GET. > >http://216.12.96.114/scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSocorro > >I haven't seen requests for a boo.bat. I also haven't seen this particular echo command that was common to all of the requests for cmd.exe. Every one of them attempted to echo "MinhaNossaSenhoraDoPerpetuoSocorro" > >Some new script? Has anyone else seen these? > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > > -- Scott C. Kennedy Lead Security Architect/ Director of Security Infosys Corporation Work: (877) 772-2347 PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 17:22:56 PST