Security Incidents mailing list archives
Re: Website Defacement
From: killy <killfactory () gmail com>
Date: Wed, 14 Jun 2006 09:11:13 -0400
Hi Jan, Yes, I do have the HTTPERR logs and they were somewhat helpful. We think it was a permission misconfiguration on the www-root. THe admin did not make an image before rebuilding so there is not much more I can look at from a distance. These servers belong to an agency that is merging with ours. Looks like a lot of work to do with these guys. Low skill set bad practices, etc.etc. On 6/14/06, Jan Reilink <janreilink () vevida com> wrote:
killy schreef: > Hi everyone, > > Here is a peice of an IIS 6 log file of a recently defaced site. > > ##after a few failed attempts this one was successful > 2006-05-25 04:57:20 POST /_vti_bin/shtml.dll/_vti_rpc - - > 200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 349 > 2006-05-25 04:57:20 POST /_vti_bin/_vti_aut/author.dll - - > 200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 1107 > 2006-05-25 04:57:25 POST /_vti_bin/shtml.dll/_vti_rpc - - > 200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 348 > 2006-05-25 04:57:25 POST /_vti_bin/_vti_aut/author.dll - - > 200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 1189 > [...] > Here is my question. Where else can I find evidence on the server to > support my findings. > Maybe a silly question, but this is the HTTP logfile of a virtual domain / website on your server? If yes, have a look at the HTTPERR logfiles located in %SYSTEMROOT%\system32\LogFiles\HTTPERR\*.log. Together with the Event Viewer (both Application and System), they have been helpful on more than one occasion. > Findings: Exploited vulnerability in FrontPage extentions [...] > If anyone has dealt with this particular attack before or performed it > ;-) please shed a little more light for me. > One common made mistake is to grant modify permissions to an IUSR on the www-root folder, when FrontPage Server Extensions are installed. This means anyone can log in with FrontPage without authentication. I am not aware of any (new) FrontPage vulnerabilites. If there are, I'm interested too. -- Met vriendelijke groet / Best regards, Jan Reilink VEVIDA Nederland B.V., janreilink () vevida com Postbus 329, 9700 AH GRONINGEN, +31(0)50 - 5492234
------------------------------------------------------------------------------ This List Sponsored by: Black HatAttend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas. World renowned security experts reveal tomorrow.s threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- Website Defacement killy (Jun 07)
- Re: Website Defacement Jan Reilink (Jun 14)
- Re: Website Defacement killy (Jun 14)
- Re: Website Defacement Jan Reilink (Jun 14)