Security Incidents mailing list archives
Re: New to this and need help plz!!
From: Jeff <jeff () TCNET ORG>
Date: Thu, 28 Dec 2000 00:43:27 -0500
On Wed, 27 Dec 2000, Robert J. Wright wrote: [snip]
[**] IDS292 - WEB FRONTPAGE - Frontpage-shtml.dll [**] 12/27-06:46:04.461674 xxx.xxx.xxx.xxx:48731-> xxx.xxx.xxx.xxx:80 TCP TTL:244 TOS:0x0 ID:4692 DF *****PA* Seq: 0xC621C4EA Ack: 0x243699 Win: 0x2238 I have recieved a total of 27 of these from that one source, going to my webserver. No kidding eh being port 80 =] Now from my understanding this can be legit traffic. Now i dns'd the ip and its a large consulting/industry company. I checked out with a sales rep and we do sell products to this company. However from what i read from Whitehats.com i dont see a reason why this should happen from a customer. So i really dont know how to address this. Can someone please help me out? Should i contact the network administrator from that company about this?
Robert- Here is the snort rule in question, just pulled from the database on snort.org. I'll assume that you're using this somewhat unmodified. The rule will wrap, but we can deal with that here: alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS292 - WEB FRONTPAGE - Frontpage-shtml.dll"; content: "_vti_bin/shtml.dll"; nocase; flags: AP;) So, alert when you see tcp traffic from anywhere except from our $HOME_NET, any source port... destined for any host on $HOME_NET port 80... use the message "IDS292 [etc]" for the alert message (if we DO generate an alert... we're not done with the rule yet)... and the content of the packet/stream contains "_vti_bin/shtml.dll" -- case insensitive... and the TCP flags are exactly ACK and PSH. You are correct in stating that this could be routine, legitimate traffic. Nothing of this indicates with certainty an exploit, attempted or otherwise. If you are running frontpage server extensions on the target web server, this traffic could be quite valid -- either from someone maintaining pages on your server, or even in some cases viewing pages that were created with dependencies on the frontpage server extensions. Even the viewing of pages on your site using a Microsoft software package can trigger references to FrontPage related files on a web server. Microsoft Office and Microsoft Web Folders among others (though perhaps not always shtml.dll). Your next steps should involve some investigation -- some tasks/places to start are listed below. Contacting an admin/technical person at the remote site is a judgment call that you or someone else at your organization will have to make, based on the perceived urgency of the situation and the result of some initial investigation -- if urgency permits such investigation. This is one of many areas where you may find a formal security policy Quite Useful. * Check the web server access logs -- match up records here with the alerts from snort. * Are FrontPage server extensions running on this machine? * Should FrontPage server extensions be running on this machine? * Are the installed (if installed) FrontPage server extensions current, or are they outdated? In the case of FPSE, outdated generally equates to vulnerable. * Were the requests logged by snort a result of someone browsing, authoring, or other? * Should that IP have been browsing, authoring, or other? Investigate as needed/able, and try to document as you go. Getting to know what things are/should be running on your network is one of the key steps in being able to detect things that should not be running on your network. Some resources specific to this issue include: Writing Snort Rules <URI:http://www.snort.org/writing_snort_rules.htm> Misc FrontPage references: <URI:http://msdn.microsoft.com/workshop/languages/fp/default.asp> <URI:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp> <URI:http://www.microsoft.com/frontpage/> <URI:http://www.rtr.com/fpsupport/> Enjoy, and I hope that this information is helpful to you as you learn. -jeff -- Jeff Godin Network Specialist Traverse Area District Library / Traverse Community Network jeff () tcnet org
Current thread:
- New to this and need help plz!! Robert J. Wright (Dec 27)
- Re: New to this and need help plz!! Jeff (Dec 28)
- Re: New to this and need help plz!! Blake R. Swopes (Dec 28)
- <Possible follow-ups>
- Re: New to this and need help plz!! Dave Woods (Dec 28)