Security Incidents mailing list archives

Re: possible frontpage exploit?

From: Bryan Andersen <bryan () visi com>
Date: Mon, 16 Jul 2001 17:59:22 -0500

Interesting, that GET/POST signature has visited my site 
three times in April and June.  I don't have front page 
extensions enabled so my system replied with 404 messages.  
209.189.93.230, 194.140.192.69, and 211.21.184.162 all 
visited my site.  Each time there was a URL referral from 
a search site, a page ot two loaded, then the GET/POST, 
then nothing.  The searches were all on "wlan".  Looks like
someone may be using key word searches to find sites to
try to exploit.  Saves on scanning for them and the possible
detection there of.


John Jetmore wrote:


My company has had two websites defaced within the last week.  Both times
the defacement seems to take place withing frontpage.  Here is the the
actual defacement taking place:

ascta014p151.onda.com.br - - [12/Jul/2001:02:33:27 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 
(compatible; MS FrontPage 3.0)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:33:29 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:33:31 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 1612 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:33:36 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 
(compatible; MS FrontPage 3.0)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:33:39 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:33:44 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1594 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:33:48 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1747 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:33:51 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 142 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:34:48 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 55322 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:34:57 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 142 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:35:02 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 400 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:35:07 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 352 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:35:45 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 355 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:36:20 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 6923 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:36:37 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 3329 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:37:17 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 4403 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:37:28 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 379 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:38:08 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 733 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:38:13 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 390 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:38:23 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1195 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:39:39 -0500] "GET /rbteam1.jpg HTTP/1.0" 404 205 "-" "Mozilla/2.0 
(compatible; MS FrontPage 3.0)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:39:39 -0500] "GET /bandeira.gif HTTP/1.0" 404 206 "-" "Mozilla/2.0 
(compatible; MS FrontPage 3.0)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:42:45 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 4 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:42:56 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1195 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:43:12 -0500] "GET /rbteam1.jpg HTTP/1.0" 404 205 "-" "Mozilla/2.0 
(compatible; MS FrontPage 3.0)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:43:12 -0500] "GET /bandeira.gif HTTP/1.0" 404 206 "-" "Mozilla/2.0 
(compatible; MS FrontPage 3.0)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:43:25 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 766 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:43:55 -0500] "GET / HTTP/1.1" 200 1200 "-" "Mozilla/4.0 (compatible; 
MSIE 5.5; Windows 98; Win 9x 4.90)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:46:23 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 4 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:46:28 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 
(compatible; MS FrontPage 3.0)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:46:34 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:46:38 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 1798 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:46:55 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 64682 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:47:02 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 607 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:47:05 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 
(compatible; MS FrontPage 3.0)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:47:06 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 252 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:47:11 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:47:19 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 764 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:47:24 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1780 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:47:30 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 607 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:47:46 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 55992 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:47:57 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 607 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:49:09 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1747 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:50:03 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 669 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:52:10 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 669 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:52:30 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 2277 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:52:51 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 296 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:53:11 -0500] "GET /rbteam1.jpg HTTP/1.0" 200 55927 "-" "Mozilla/2.0 
(compatible; MS FrontPage 3.0)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:53:18 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 297 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:53:45 -0500] "GET /bandeira.gif HTTP/1.0" 200 6766 "-" "Mozilla/2.0 
(compatible; MS FrontPage 3.0)"
ascta014p151.onda.com.br - - [12/Jul/2001:02:53:50 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 801 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:54:02 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 801 "-" 
"MSFrontPage/3.0"
ascta014p151.onda.com.br - - [12/Jul/2001:02:54:05 -0500] "GET / HTTP/1.1" 200 1279 "-" "Mozilla/4.0 (compatible; 
MSIE 5.5; Windows 98; Win 9x 4.90)"

If you look, the attacker is using requests for "rbteam1.jpg" to see
whether he is successful.  The machine in question is running solaris 8,
the webserver is apache 1.3.14 w/ the FP 2000 server extensions installed.
My question is, has anyone seen anything like this?  Is this a frontpage
exploit, or something else?  If it's something else, I'd sure like to know
what it is.

Thanks
--John Jetmore

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com


-- 
|  Bryan Andersen   |   bryan () visi com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Re: possible frontpage exploit? Raul Dias (Jul 16)
- <Possible follow-ups>
- possible frontpage exploit? John Jetmore (Jul 16)
  - Re: possible frontpage exploit? Bryan Andersen (Jul 16)
  - Re: possible frontpage exploit? John Jetmore (Jul 17)