Although not ASP specific, you might want to check out the "DDI_IIS_Compromised.nasl" plugin in the Nessus scanner distribution. It checks for most of the things left in the web root by your casual warez cracker. I will be submitting a slightly improved version sometime this week, but the "official" version can be found at: (possibly wrapped) http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/DDI_IIS_Compromised.nasl If you simply want to crawl an entire site and scan every single ASP script that's linked (besides a few common ones, kids really don't name their backdoors anything consistent), try looking for things like type="FILE" (for upload scripts), or common words like "execute" and "command". -HD On Tuesday 10 December 2002 09:01 am, Ian Lyte wrote: > Hi All, > > I'm looking for some sample .asp / .php files (preferably some > captured from honeypots if at all possible) that are currently being > uploaded on compromised systems. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Dec 10 2002 - 13:32:25 PST