The Case of the "Default User"
Ever run across a case during which, while examining Internet browser history, you found that the "Default User" had browser history? Ever wondered about that?
Rob "van" Hensing was one of the first I know of to blog about this issue, almost three years ago. Given the time frame, this is a good time to bring this subject up again, don't'cha think?
I've seen this sort of thing in a couple of instances, specifically when SQL injection has been used to gain access to an infrastructure, and the bad guy gets a copy of wget.exe (static PE analysis will tell you if the program accesses the WinInet APIs) onto the system, and then uses that to pull down other files - in many cases, they'd use echo to create an FTP script, then launch the native command line FTP client using the script, or use wget.exe to pull the files down. Why? Well, most times FTP and/or HTTP are allowed out through the firewall.
Good stuff.
Rob "van" Hensing was one of the first I know of to blog about this issue, almost three years ago. Given the time frame, this is a good time to bring this subject up again, don't'cha think?
I've seen this sort of thing in a couple of instances, specifically when SQL injection has been used to gain access to an infrastructure, and the bad guy gets a copy of wget.exe (static PE analysis will tell you if the program accesses the WinInet APIs) onto the system, and then uses that to pull down other files - in many cases, they'd use echo to create an FTP script, then launch the native command line FTP client using the script, or use wget.exe to pull the files down. Why? Well, most times FTP and/or HTTP are allowed out through the firewall.
Good stuff.