From: H D Moore (hdm@digitaloffense.net)
Date: Tue Dec 10 2002 - 13:39:27 EST
Although not ASP specific, you might want to check out the
"DDI_IIS_Compromised.nasl" plugin in the Nessus scanner distribution. It
checks for most of the things left in the web root by your casual warez
cracker. I will be submitting a slightly improved version sometime this
week, but the "official" version can be found at:
(possibly wrapped)
http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/DDI_IIS_Compromised.nasl
If you simply want to crawl an entire site and scan every single ASP
script that's linked (besides a few common ones, kids really don't name
their backdoors anything consistent), try looking for things like
type="FILE" (for upload scripts), or common words like "execute" and
"command".
-HD
On Tuesday 10 December 2002 09:01 am, Ian Lyte wrote:
> Hi All,
>
> I'm looking for some sample .asp / .php files (preferably some
> captured from honeypots if at all possible) that are currently being
> uploaded on compromised systems.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT