Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tracking down the still infected hosts

From: Josh Burroughs <jburroug () lib uaa alaska edu>
Date: Tue, 25 Sep 2001 15:00:30 -0800 (AKDT)
On Tue, 25 Sep 2001, Dale Lancaster wrote:

However I am seeing new log entries that I haven't seen before:

[Tue Sep 25 16:33:41 2001] [error] [client 199.26.11.171] File does not
exist: /some/where/html/_vti_bin/shtml.exe/_vti_rpc

It may just be some misconfiguration in our site, but the shtml.exe seems to
point to something else since we don't use .exe stuff on our site.  These
are flooding my site, but we get lots of them over a day.


That's what it looks like when someone using MS Frontpage tries to
connect/upload a web site to a server with frontpage extensions installed.
If the IP's connecting are from inside your org find the offending users
and hit them with a stick ;-> Or setup redirects to goatse.cx, I'm not
sure if the frontpage client will honor a redirect but it'd be funny as
hell that has the intended effect ;->


-Josh


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: