possible frontpage exploit?

From: John Jetmore (jetmoreat_private)
Date: Mon Jul 16 2001 - 14:23:24 PDT

  • Next message: Bryan Andersen: "Re: possible frontpage exploit?"

    My company has had two websites defaced within the last week.  Both times
    the defacement seems to take place withing frontpage.  Here is the the
    actual defacement taking place:
    
    ascta014p151.onda.com.br - - [12/Jul/2001:02:33:27 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:33:29 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:33:31 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 1612 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:33:36 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:33:39 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:33:44 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1594 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:33:48 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1747 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:33:51 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 142 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:34:48 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 55322 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:34:57 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 142 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:35:02 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 400 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:35:07 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 352 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:35:45 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 355 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:36:20 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 6923 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:36:37 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 3329 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:37:17 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 4403 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:37:28 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 379 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:38:08 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 733 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:38:13 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 390 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:38:23 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1195 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:39:39 -0500] "GET /rbteam1.jpg HTTP/1.0" 404 205 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:39:39 -0500] "GET /bandeira.gif HTTP/1.0" 404 206 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:42:45 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 4 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:42:56 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1195 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:43:12 -0500] "GET /rbteam1.jpg HTTP/1.0" 404 205 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:43:12 -0500] "GET /bandeira.gif HTTP/1.0" 404 206 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:43:25 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 766 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:43:55 -0500] "GET / HTTP/1.1" 200 1200 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:46:23 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 4 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:46:28 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:46:34 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:46:38 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 1798 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:46:55 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 64682 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:47:02 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 607 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:47:05 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:47:06 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 252 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:47:11 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:47:19 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 764 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:47:24 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1780 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:47:30 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 607 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:47:46 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 55992 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:47:57 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 607 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:49:09 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1747 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:50:03 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 669 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:52:10 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 669 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:52:30 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 2277 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:52:51 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 296 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:53:11 -0500] "GET /rbteam1.jpg HTTP/1.0" 200 55927 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:53:18 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 297 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:53:45 -0500] "GET /bandeira.gif HTTP/1.0" 200 6766 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:53:50 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 801 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:54:02 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 801 "-" "MSFrontPage/3.0"
    ascta014p151.onda.com.br - - [12/Jul/2001:02:54:05 -0500] "GET / HTTP/1.1" 200 1279 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    
    If you look, the attacker is using requests for "rbteam1.jpg" to see
    whether he is successful.  The machine in question is running solaris 8,
    the webserver is apache 1.3.14 w/ the FP 2000 server extensions installed.
    My question is, has anyone seen anything like this?  Is this a frontpage
    exploit, or something else?  If it's something else, I'd sure like to know
    what it is.
    
    Thanks
    --John Jetmore
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 14:33:14 PDT