Hosting Provided By

RE: Script I haven't seen? Or human directed?

From: James C Slora Jr <Jim.Slora(at)phra.com>
Date: Thu Nov 07 2002 - 13:37:38 EST

Keith T. Morgan wrote Thursday, November 07, 2002 9:18 AM

> However, some of the details of the GET requests, I haven't seen before
today. Here's an example GET.

>

http://216.12.96.114/scripts/boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C.%C1%9C ..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSo corro

> I haven't seen requests for a boo.bat. I also haven't seen this
particular echo command that was common to all of the requests for cmd.exe. Every one of them attempted to echo "MinhaNossaSenhoraDoPerpetuoSocorro"

Old script or modified version -
http://www.securiteam.com/tools/5FP0N0K4AY.html

Boo.bat is a directory name in this request. The request traverses downward to (nonexistent) boo.bat then up to the root and back down to system32 to execute the cmd echo.

The echo is Portuguese for "Our Lady of Perpetual Aid".

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Nov 7 14:30:19 2002

This message: [ Message body ]
Next message: Omar Herrera: "RE: Ip spoof from 0.0.0.0"
Previous message: Dave Laird: "Re: ano@ano.com ftpd dip.t-dialin.net"
In reply to Keith T. Morgan: "Script I haven't seen? Or human directed?"
Next in thread: Scott C. Kennedy: "Re: Script I haven't seen? Or human directed?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:50 EDT

Do you need help?