RE: ASP Files

From: Ben Meghreblian (benmeg@benmeg.com)
Date: Tue Dec 10 2002 - 14:47:54 EST

• Next message: H D Moore: "Re: ASP Files"
• Previous message: Brass, Phil (ISS Atlanta): "RE: Firewall Load Testing"
• Maybe in reply to: Ian Lyte: "ASP Files"
• Next in thread: H D Moore: "Re: ASP Files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Ian et al,

The ASP file screen-grabbed looks like a combination of the following:

For the file upload:

http://www.cymbala.com/Greg/HowToUpload.htm

For file browsing/execution:

http://web.archive.org/web/20011020152532/dogmile.com/files/cmdasp.html

For the server stats:

http://benmeg.com/code/asp/server.stats.html

As for scanning pages for 'malicious content', I suppose one could check
against a list of objects that you regard as safe that your developers
have used and/or unregister certain .DLLs/components. For instance, on
the dogmile pages, the example is given that one can unregister the
windows scripting object by regsvr32.exe /u C:\winnt\system32\wshom.ocx
- but this may prove too extreme if you are using it elsewhere, for
instance for scheduled tasks etc. Otherwise, some form of tripwire-esque
software noting/notifying/replacing modified files would perhaps
suffice.

Cheers,

Ben

-----Original Message-----
From: Ian Lyte [mailto:ilyte@alias666.freeserve.co.uk]
Sent: 10 December 2002 15:01
To: pen-test@securityfocus.com
Subject: ASP Files

Hi All,

    I'm looking for some sample .asp / .php files (preferably some
captured from honeypots if at all possible) that are currently being
uploaded on compromised systems.

    Loki mentioned an .asp in his "Forensic Analysis Without an IDS: A
Detailed Account of Blind Incident Response"
(http://www.fatelabs.com/papers/broken-walls.pdf) that he admired (
"Check out this lovely asp script below. I will be the first to admit,
I’ve never seen anything this beautiful in my many years of incident
response." were his words!) Unfortunately he did not provide source,
just an image of the page. I have contacted Loki for a copy but to date
I have no reply.

    If anyone knows of any resources that I can find out anymore about
these or if anyone has copies that they could send me off list I would
be grateful.

    Secondly, does anyone know of any way of scanning both php and asp
files for malicious content? If a web site has literally 100's of asp
and php 'pages' and the scripts can be updated by some of the staff is
it only trust that prevents them adding malicious code to their scripts?
Can you not run an automated scanner over the pages and check for
certain code?

    Thanks in Advance

Ian

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see: https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: H D Moore: "Re: ASP Files"
• Previous message: Brass, Phil (ISS Atlanta): "RE: Firewall Load Testing"
• Maybe in reply to: Ian Lyte: "ASP Files"
• Next in thread: H D Moore: "Re: ASP Files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT