We logged an exploit attempt on one of our servers yesterday. This is not at all uncommon, but in this case, the IP of the machine which launched the attack was one in our Staff IP range. I expect that the workstation in question has been compromised, and was used to launch the attack. I am curious to learn if other admins on campus have seen similar activity. I first became aware of this activity by reading my daily LogWatch reports (the attacked server is a Linux Box). Under the httpd section there was this message: Attempts to use 1 known hacks were logged 4 time(s) shtml.exe by 35.8.#.# [NOTE: I left out the rest of the address to preserve the legit user's privacy] I checked the server's logs, and found the requests made by the workstation. Here's an excerpt: > [Mon May 15 13:37:45 2006] [error] [client 35.8.#.#] File does not exist: /home/httpd/html/_vti_inf.html > [Mon May 15 13:37:45 2006] [error] [client 35.8.#.#] File does not exist: /home/httpd/html/_vti_bin > [Mon May 15 13:37:45 2006] [error] [client 35.8.#.#] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var > [Mon May 15 13:38:01 2006] [error] [client 35.8.#.#] File does not exist: /home/httpd/html/_vti_inf.html > [Mon May 15 13:38:01 2006] [error] [client 35.8.#.# File does not exist: /home/httpd/html/_vti_bin > [Mon May 15 13:38:01 2006] [error] [client 35.8.#.#] no acceptable variant: /var/www/error/HTTP_NOT_FOUND.html.var The bit of research I did suggests the attacker attempted a MS FrontPage exploit. I am not at all familiar with this type of exploit, we don't use FrontPage, or IIS. Has anyone else seen this kind of attack recently? We are not vulnerable to this exploit, but as the source was one of our staff workstations, I could use some information about how this type of exploit is implemented. Thanks, Eric Weston, Libraries -- <>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<>^<>v<> Eric Weston, Information Technology Professional Michigan State University Libraries Information Technology Division, Systems Dept. http://www.msu.edu/~westone 517-432-6123 x.229