Re: New to this and need help plz!!

[Jeff <jeff () TCNET ORG>]

On Wed, 27 Dec 2000, Robert J. Wright wrote:

[snip]
> [**] IDS292 - WEB FRONTPAGE - Frontpage-shtml.dll [**]
> 12/27-06:46:04.461674 xxx.xxx.xxx.xxx:48731-> xxx.xxx.xxx.xxx:80
> TCP TTL:244 TOS:0x0 ID:4692 DF
> *****PA* Seq: 0xC621C4EA Ack: 0x243699 Win: 0x2238
>
> I have recieved a total of 27 of these from that one source, going to my
> webserver. No kidding eh being port 80 =] Now from my understanding this can
> be legit traffic. Now i dns'd the ip and its a large consulting/industry
> company. I checked out with a sales rep and we do sell products to this
> company. However from what i read from Whitehats.com i dont see a reason why
> this should happen from a customer. So i really dont know how to address
> this. Can someone please help me out? Should i contact the network
> administrator from that company about this?

Robert-

Here is the snort rule in question, just pulled from the database on
snort.org. I'll assume that you're using this somewhat unmodified. The
rule will wrap, but we can deal with that here:

alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS292 - WEB FRONTPAGE -
Frontpage-shtml.dll"; content: "_vti_bin/shtml.dll"; nocase; flags: AP;)

So, alert when you see tcp traffic from anywhere except from our
$HOME_NET, any source port... destined for any host on $HOME_NET port
80... use the message "IDS292 [etc]" for the alert message (if we DO
generate an alert... we're not done with the rule yet)... and the content
of the packet/stream contains "_vti_bin/shtml.dll" -- case insensitive...
and the TCP flags are exactly ACK and PSH.

You are correct in stating that this could be routine, legitimate traffic.
Nothing of this indicates with certainty an exploit, attempted or
otherwise.

If you are running frontpage server extensions on the target web server,
this traffic could be quite valid -- either from someone maintaining pages
on your server, or even in some cases viewing pages that were created with
dependencies on the frontpage server extensions. Even the viewing of pages
on your site using a Microsoft software package can trigger references to
FrontPage related files on a web server. Microsoft Office and Microsoft
Web Folders among others (though perhaps not always shtml.dll).

Your next steps should involve some investigation -- some tasks/places to
start are listed below. Contacting an admin/technical person at the remote
site is a judgment call that you or someone else at your organization will
have to make, based on the perceived urgency of the situation and the
result of some initial investigation -- if urgency permits such
investigation. This is one of many areas where you may find a formal
security policy Quite Useful.

* Check the web server access logs -- match up records here with the
alerts from snort.

* Are FrontPage server extensions running on this machine?
* Should FrontPage server extensions be running on this machine?

* Are the installed (if installed) FrontPage server extensions current, or
are they outdated? In the case of FPSE, outdated generally equates to
vulnerable.

* Were the requests logged by snort a result of someone browsing,
authoring, or other?
* Should that IP have been browsing, authoring, or other?

Investigate as needed/able, and try to document as you go. Getting to know
what things are/should be running on your network is one of the key steps
in being able to detect things that should not be running on your network.

Some resources specific to this issue include:

Writing Snort Rules
<URI:http://www.snort.org/writing_snort_rules.htm>

Misc FrontPage references:
<URI:http://msdn.microsoft.com/workshop/languages/fp/default.asp>
<URI:http://msdn.microsoft.com/workshop/languages/fp/2000/sr12.asp>
<URI:http://www.microsoft.com/frontpage/>
<URI:http://www.rtr.com/fpsupport/>

Enjoy, and I hope that this information is helpful to you as you learn.

-jeff

--
Jeff Godin
Network Specialist
Traverse Area District Library / Traverse Community Network
jeff () tcnet org