[Emerging-Sigs] favicon's as executables

Matt Jonkman jonkman at jonkmans.com
Thu Jan 15 23:39:19 EST 2009


That seems a pretty significant misconfig... Are you sure what came was
not hostile?

matt

CunningPike wrote:
> I have noticed quite a few of these as well. In all our cases, the
> executable turned out to be a copy of aspnet_isapi.dll.
> 
> I have a feeling that there is some misconfiguration in IIS/ASP.NET that
> causes this behavior.
> 
> CP
> 
> On Wed, 2009-01-14 at 16:53 -0500, RPG wrote:
>> We have seen a few instances of favicon.ico's coming down as executable 
>> files.     In all instances so far the server reports "404 Not Found" 
>> when the browser requests the favicon.ico file yet it serves this little 
>> binary instead
>>
>> DST: HTTP/1.1 404 Not Found
>> DST: Content-Length: 17416
>> DST: Content-Type: application/x-msdownload
>> DST: Server: Microsoft-IIS/6.0
>> DST: X-Powered-By: ASP.NET
>> DST: Date: Wed, 14 Jan 2009 21:20:27 GMT
>> DST:
>> DST: 
>> MZ...................... at ...............................................!..L.!Th
>>
>> $ file favicon.ico
>> favicon.ico: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit
>>
>> $ md5sum favicon.ico
>> 74e81a65879ffe881a7af525a0254ad8  favicon.ico
>>
>> Here's an example URL if you're curious:
>> http://wwwDOTnjcarbuyerDOTcom/favicon.ico
>> Donwload it safely and of course replace the DOT's.  :)
>>
>> Virustotal comes up empty and so does threatexpert.com
>> http://www.virustotal.com/analisis/4257c88c85ff4c4ef4fb495e06c7661a
>> http://threatexpert.com/report.aspx?md5=74e81a65879ffe881a7af525a0254ad8
>>
>> Can someone shed light on this little mystery?  TIA
>>
>> RPG
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list