Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Website Defacement

From: killy <killfactory () gmail com>
Date: Wed, 14 Jun 2006 09:11:13 -0400
Hi Jan,

Yes, I do have the HTTPERR logs and they were somewhat helpful.

We think it was a permission misconfiguration on the www-root.

THe admin did not make an image before rebuilding so there is not much
more I can look at from a distance.

These servers belong to an agency that is merging with ours. Looks
like a lot of work to do with these guys. Low skill set bad practices,
etc.etc.

On 6/14/06, Jan Reilink <janreilink () vevida com> wrote:

killy schreef:
> Hi everyone,
>
> Here is a peice of an IIS 6 log file of a recently defaced site.
>
> ##after a few failed attempts this one was successful
> 2006-05-25 04:57:20 POST /_vti_bin/shtml.dll/_vti_rpc - -
> 200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 349
> 2006-05-25 04:57:20 POST /_vti_bin/_vti_aut/author.dll - -
> 200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 1107
> 2006-05-25 04:57:25 POST /_vti_bin/shtml.dll/_vti_rpc - -
> 200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 348
> 2006-05-25 04:57:25 POST /_vti_bin/_vti_aut/author.dll - -
> 200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 1189
>

[...]
> Here is my question. Where else can I find evidence on the server to
> support my findings.
>

Maybe a silly question, but this is the HTTP logfile of a virtual domain
/ website on your server? If yes, have a look at the HTTPERR logfiles
located in %SYSTEMROOT%\system32\LogFiles\HTTPERR\*.log. Together with
the Event Viewer (both Application and System), they have been helpful
on more than one occasion.

> Findings: Exploited vulnerability in FrontPage extentions

[...]
> If anyone has dealt with this particular attack before or performed it
> ;-) please shed a little more light for me.
>

One common made mistake is to grant modify permissions to an IUSR on the
www-root folder, when FrontPage Server Extensions are installed. This
means anyone can log in with FrontPage without authentication.
I am not aware of any (new) FrontPage vulnerabilites. If there are, I'm
interested too.

--
Met vriendelijke groet / Best regards,

Jan Reilink
VEVIDA Nederland B.V., janreilink () vevida com
Postbus 329, 9700 AH GRONINGEN, +31(0)50 - 5492234



------------------------------------------------------------------------------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas. World renowned security experts reveal tomorrow.s threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. 
http://www.blackhat.com
------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: