MSUNAG Archives

MSUNAG Archives


View:

Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font

Options:

Join or Leave MSUNAG
Reply | Post New Message
Search Archives


Subject: FrontPage exploit
From: Eric Weston <[log in to unmask]>
Reply-To:[log in to unmask]
Date:Tue, 16 May 2006 13:23:52 -0400
Content-Type:text/plain
Parts/Attachments:
Parts/Attachments

text/plain (52 lines) 


   We logged an exploit attempt on one of our servers yesterday. This is
not at all uncommon, but in this case, the IP of the machine which
launched the attack was one in our Staff IP range. I expect that the
workstation in question has been compromised, and was used to launch the
attack. I am curious to learn if other admins on campus have seen
similar activity. 
   I first became aware of this activity by reading my daily LogWatch
reports (the attacked server is a Linux Box). Under the httpd section
there was this message:

Attempts to use 1 known hacks were logged 4 time(s)
  shtml.exe    by
          35.8.#.# 

  [NOTE: I left out the rest of the address to preserve the legit user's
privacy]

I checked the server's logs, and found the requests made by the
workstation. 
  Here's an excerpt:

> [Mon May 15 13:37:45 2006] [error] [client 35.8.#.#] File does not
exist: /home/httpd/html/_vti_inf.html
> [Mon May 15 13:37:45 2006] [error] [client 35.8.#.#] File does not
exist: /home/httpd/html/_vti_bin
> [Mon May 15 13:37:45 2006] [error] [client 35.8.#.#] no acceptable
variant: /var/www/error/HTTP_NOT_FOUND.html.var
> [Mon May 15 13:38:01 2006] [error] [client 35.8.#.#] File does not
exist: /home/httpd/html/_vti_inf.html
> [Mon May 15 13:38:01 2006] [error] [client 35.8.#.# File does not
exist: /home/httpd/html/_vti_bin
> [Mon May 15 13:38:01 2006] [error] [client 35.8.#.#] no acceptable
variant: /var/www/error/HTTP_NOT_FOUND.html.var

  The bit of research I did suggests the attacker attempted a MS
FrontPage exploit. I am not at all familiar with this type of exploit,
we don't use FrontPage, or IIS. 

  Has anyone else seen this kind of attack recently? We are not
vulnerable to this exploit, but as the source was one of our staff
workstations, I could use some information about how this type of
exploit is implemented.

          Thanks,
                     Eric Weston, Libraries
-- 
<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>
Eric Weston, Information Technology Professional
Michigan State University Libraries
Information Technology Division, Systems Dept.
http://www.msu.edu/~westone
517-432-6123 x.229

Back to: Top of Message | Previous Page | Main MSUNAG Page

Permalink


LIST.MSU.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager