We logged an exploit attempt on one of our servers yesterday. This is
not at all uncommon, but in this case, the IP of the machine which
launched the attack was one in our Staff IP range. I expect that the
workstation in question has been compromised, and was used to launch the
attack. I am curious to learn if other admins on campus have seen
similar activity.
I first became aware of this activity by reading my daily LogWatch
reports (the attacked server is a Linux Box). Under the httpd section
there was this message:
Attempts to use 1 known hacks were logged 4 time(s)
shtml.exe by
35.8.#.#
[NOTE: I left out the rest of the address to preserve the legit user's
privacy]
I checked the server's logs, and found the requests made by the
workstation.
Here's an excerpt:
> [Mon May 15 13:37:45 2006] [error] [client 35.8.#.#] File does not
exist: /home/httpd/html/_vti_inf.html
> [Mon May 15 13:37:45 2006] [error] [client 35.8.#.#] File does not
exist: /home/httpd/html/_vti_bin
> [Mon May 15 13:37:45 2006] [error] [client 35.8.#.#] no acceptable
variant: /var/www/error/HTTP_NOT_FOUND.html.var
> [Mon May 15 13:38:01 2006] [error] [client 35.8.#.#] File does not
exist: /home/httpd/html/_vti_inf.html
> [Mon May 15 13:38:01 2006] [error] [client 35.8.#.# File does not
exist: /home/httpd/html/_vti_bin
> [Mon May 15 13:38:01 2006] [error] [client 35.8.#.#] no acceptable
variant: /var/www/error/HTTP_NOT_FOUND.html.var
The bit of research I did suggests the attacker attempted a MS
FrontPage exploit. I am not at all familiar with this type of exploit,
we don't use FrontPage, or IIS.
Has anyone else seen this kind of attack recently? We are not
vulnerable to this exploit, but as the source was one of our staff
workstations, I could use some information about how this type of
exploit is implemented.
Thanks,
Eric Weston, Libraries
--
<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>
Eric Weston, Information Technology Professional
Michigan State University Libraries
Information Technology Division, Systems Dept.
http://www.msu.edu/~westone
517-432-6123 x.229
|