Re: possible frontpage exploit?

[Raul Dias <chaos () swi com br>]

> My company has had two websites defaced within the last week.  Both times
> the defacement seems to take place withing frontpage.  Here is the the
> actual defacement taking place:

> ascta014p151.onda.com.br - - [12/Jul/2001:02:54:05 -0500] "GET / HTTP/1.1" 200 1279 "-" "Mozilla/4.0 (compatible; MSIE 
> 5.5; Windows 98; Win 9x 4.90)"
>
> If you look, the attacker is using requests for "rbteam1.jpg" to see
> whether he is successful.  The machine in question is running solaris 8,
> the webserver is apache 1.3.14 w/ the FP 2000 server extensions installed.
> My question is, has anyone seen anything like this?  Is this a frontpage
> exploit, or something else?  If it's something else, I'd sure like to know
> what it is.
>
> Thanks
> --John Jetmore

You should try to contact Onda.
Onda is a ISP here in Brazil.  
Unfortunally it is not too resposible for the action of its users
we have a few incidents with tham and Onda doesn't really care.

Anyways, here are they number:
(55) -  0800-437878   (toll free)
(55) - 41 - 322-7766

Good luck.

-Raul Dias


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com