Security Incidents mailing list archives
Re: possible frontpage exploit?
From: John Jetmore <jetmore () cinergycom com>
Date: Tue, 17 Jul 2001 09:37:01 -0500 (CDT)
It turned out to be a stupid (_stupid_) configuration problem. I found a scanner for the problem and ran it against our sites. 3 of ~150 frontpage enabled sites were vulnerable. As far as I can tell this was simply laxness on the part of the person who sets them up for us. (probably overfamiliarity with the process.) So, essentially, the signature below is, as someone pointed out, the normal signature of a frontpage transaction. Thanks for all of the responses. --John Jetmore On Mon, 16 Jul 2001, John Jetmore wrote:
My company has had two websites defaced within the last week. Both times the defacement seems to take place withing frontpage. Here is the the actual defacement taking place: If you look, the attacker is using requests for "rbteam1.jpg" to see whether he is successful. The machine in question is running solaris 8, the webserver is apache 1.3.14 w/ the FP 2000 server extensions installed. My question is, has anyone seen anything like this? Is this a frontpage exploit, or something else? If it's something else, I'd sure like to know what it is.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: possible frontpage exploit? Raul Dias (Jul 16)
- <Possible follow-ups>
- possible frontpage exploit? John Jetmore (Jul 16)
- Re: possible frontpage exploit? Bryan Andersen (Jul 16)
- Re: possible frontpage exploit? John Jetmore (Jul 17)