Re: possible frontpage exploit?

[John Jetmore <jetmore () cinergycom com>]

It turned out to be a stupid (_stupid_) configuration problem.  I found
a scanner for the problem and ran it against our sites.  3 of ~150
frontpage enabled sites were vulnerable.  As far as I can tell this was
simply laxness on the part of the person who sets them up for us.
(probably overfamiliarity with the process.)

So, essentially, the signature below is, as someone pointed out, the
normal signature of a frontpage transaction.

Thanks for all of the responses.
--John Jetmore

On Mon, 16 Jul 2001, John Jetmore wrote:

> My company has had two websites defaced within the last week.  Both times
> the defacement seems to take place withing frontpage.  Here is the the
> actual defacement taking place:
>
> If you look, the attacker is using requests for "rbteam1.jpg" to see
> whether he is successful.  The machine in question is running solaris 8,
> the webserver is apache 1.3.14 w/ the FP 2000 server extensions installed.
> My question is, has anyone seen anything like this?  Is this a frontpage
> exploit, or something else?  If it's something else, I'd sure like to know
> what it is.




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com