Confirmed. Time to configure your web application proxies to block the naughty strings. Doing a google search for texis.exe turns up some interesting sites, all of which respond to ?-dump and ?-version. The information provided is significant including local ip and forwarding IP (so you can determine load balancing/etc setups quite easily): ========================== Environment ALLUSERSPROFILE='C:\Documents and Settings\All Users' CommonProgramFiles='C:\Program Files\Common Files' COMPUTERNAME='SDTIWEB' ComSpec='C:\WINNT\system32\cmd.exe' CONTENT_LENGTH='0' GATEWAY_INTERFACE='CGI/1.1' HTTPS='off' HTTP_ACCEPT='image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*' HTTP_ACCEPT_LANGUAGE='en-us' HTTP_CONNECTION='keep-alive' HTTP_HOST='www.[VICTIM_NAME_REMOVED].com' HTTP_USER_AGENT='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)' HTTP_VIA='1.1 [WEB_PROXY_REMOVED]:3128 (Squid/2.4.STABLE7)' HTTP_ACCEPT_ENCODING='gzip, deflate' HTTP_X_FORWARDED_FOR='10.2.0.20' HTTP_CACHE_CONTROL='max-age=259200' INSTANCE_ID='1' LOCAL_ADDR='192.168.12.22' NUMBER_OF_PROCESSORS='2' Os2LibPath='C:\WINNT\system32\os2\dll;' OS='Windows_NT' Path='C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem' PATHEXT='.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH' PATH_TRANSLATED='N:\[VICTIM_NAME_REMOVED]\Inetpub\betaroot' PROCESSOR_ARCHITECTURE='x86' PROCESSOR_IDENTIFIER='x86 Family 6 Model 11 Stepping 1, GenuineIntel' PROCESSOR_LEVEL='6' PROCESSOR_REVISION='0b01' ProgramFiles='C:\Program Files' QUERY_STRING='-dump' REMOTE_ADDR='24.86.189.174' REMOTE_HOST='24.86.189.174' REQUEST_METHOD='GET' SCRIPT_NAME='/programs/texis.exe' SERVER_NAME='www.[VICTIM_NAME_REMOVED].com' SERVER_PORT='80' SERVER_PORT_SECURE='0' SERVER_PROTOCOL='HTTP/1.0' SERVER_SOFTWARE='Microsoft-IIS/5.0' SystemDrive='C:' SystemRoot='C:\WINNT' TEMP='C:\WINNT\TEMP' TMP='C:\WINNT\TEMP' USERPROFILE='C:\Documents and Settings\Default User' windir='C:\WINNT' Command line N:\[VICTIM_NAME_REMOVED]\Inetpub\Webinator4\texis.exe -dump Miscellaneous 32-bit files Variables $urlroot='/programs/texis.exeN:\rsasfiles\Inetpub\betaroot' $pathroot='N:\[VICTIM_NAME_REMOVED]\Inetpub\betaroot' $sourcepath='N:\[VICTIM_NAME_REMOVED]\Inetpub\betaroot' ========================== Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
