The ones below are taken from [http://www.cgisecurity.com/papers/fi...ng-2.html#more
This file is started by certain versions of windows every time at boot up.
Often times after an attacker has done what he wants with a box, he/she will install tools
to remove logs and any reference to an intrusion taking place. An attacker may modify this
file and insert commands into this file. Next time the machine is rebooted logs/traces can
be wiped and the attacker is home free. People running a web server on windows 95 and 98
will be affected by this problem. You should only be running a public web server on
NT/2000 with NTFS for security purposes if you plan on using a windows product.
This is the backdoor left by Sadmin/IIS, Code Red, and Nimda worms. This backdoor is a
copy of cmd.exe renamed to root.exe and put inside the webroot. If an attacker or worm
has access to this file, you can bet your in trouble. Common directories this file
resides in are "/scripts/" and "/MSADC/".
"nobody.cgi 1.0 A free Perl script from VerySimple"
This is a cgi program, which was originally written to help provide admins with
a shell backdoor. It also has a hefty warning by the programmer explaining the dangers
of improperly using this program. This is now a popular backdoor used by attackers
to execute commands with the permission of the webserver. You really would be
surprised how often I see this popping up. Hanging in chat rooms I've seen 3
different occasions where people (unaware of each other) have used this script.
Oh and no I won't give you the link to this product.
This is the directory that contains the IIS server logs. An attacker may
attempt to view your logs via a web application hole. If you see a reference
to system32/LogFiles there is a good chance your system is already taken over.
This is the directory that contains the backup password file on NT systems.
The file will either be named "sam._"(NT4) or "sam"(Win2k). If an attacker manages
to get a hold of this file then you're in for some real trouble.
Novell File systems
This is an example Novell file system. It may be possible an advanced attacker with
deep knowledge of Novell may try to view files remotely. Getting information such
as the intranet server name may not be too easy on the other hand.