From: Ian Lyte (ilyte@alias666.freeserve.co.uk)
Date: Tue Dec 10 2002 - 10:01:07 EST
Hi All,
I'm looking for some sample .asp / .php files (preferably some captured
from honeypots if at all possible) that are currently being uploaded on
compromised systems.
Loki mentioned an .asp in his "Forensic Analysis Without an IDS: A
Detailed Account of Blind Incident Response"
(http://www.fatelabs.com/papers/broken-walls.pdf) that he admired ( "Check
out this lovely asp script below. I will be the first to admit, I’ve never
seen anything this beautiful in my many years of incident response." were
his words!) Unfortunately he did not provide source, just an image of the
page. I have contacted Loki for a copy but to date I have no reply.
If anyone knows of any resources that I can find out anymore about these
or if anyone has copies that they could send me off list I would be
grateful.
Secondly, does anyone know of any way of scanning both php and asp files
for malicious content? If a web site has literally 100's of asp and php
'pages' and the scripts can be updated by some of the staff is it only trust
that prevents them adding malicious code to their scripts? Can you not run
an automated scanner over the pages and check for certain code?
Thanks in Advance
Ian
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT