Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Website Defacement

From: Jan Reilink <janreilink () vevida com>
Date: Wed, 14 Jun 2006 14:34:20 +0200
killy schreef:

Hi everyone,

Here is a peice of an IIS 6 log file of a recently defaced site.

##after a few failed attempts this one was successful
2006-05-25 04:57:20 POST /_vti_bin/shtml.dll/_vti_rpc - -
200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 349
2006-05-25 04:57:20 POST /_vti_bin/_vti_aut/author.dll - -
200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 1107
2006-05-25 04:57:25 POST /_vti_bin/shtml.dll/_vti_rpc - -
200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 348
2006-05-25 04:57:25 POST /_vti_bin/_vti_aut/author.dll - -
200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 1189



[...]

Here is my question. Where else can I find evidence on the server to
support my findings.
Maybe a silly question, but this is the HTTP logfile of a virtual domain / website on your server? If yes, have a look at the HTTPERR logfiles located in %SYSTEMROOT%\system32\LogFiles\HTTPERR\*.log. Together with the Event Viewer (both Application and System), they have been helpful on more than one occasion. 


Findings: Exploited vulnerability in FrontPage extentions


[...]

If anyone has dealt with this particular attack before or performed it
;-) please shed a little more light for me.
One common made mistake is to grant modify permissions to an IUSR on the www-root folder, when FrontPage Server Extensions are installed. This means anyone can log in with FrontPage without authentication. I am not aware of any (new) FrontPage vulnerabilites. If there are, I'm interested too. 

--
Met vriendelijke groet / Best regards,

Jan Reilink
VEVIDA Nederland B.V., janreilink () vevida com
Postbus 329, 9700 AH GRONINGEN, +31(0)50 - 5492234

------------------------------------------------------------------------------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas. World renowned security experts reveal tomorrow.s threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. 
http://www.blackhat.com
------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: