Interesting, that GET/POST signature has visited my site three times in April and June. I don't have front page extensions enabled so my system replied with 404 messages. 209.189.93.230, 194.140.192.69, and 211.21.184.162 all visited my site. Each time there was a URL referral from a search site, a page ot two loaded, then the GET/POST, then nothing. The searches were all on "wlan". Looks like someone may be using key word searches to find sites to try to exploit. Saves on scanning for them and the possible detection there of. John Jetmore wrote: > > My company has had two websites defaced within the last week. Both times > the defacement seems to take place withing frontpage. Here is the the > actual defacement taking place: > > ascta014p151.onda.com.br - - [12/Jul/2001:02:33:27 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:33:29 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:33:31 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 1612 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:33:36 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:33:39 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:33:44 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1594 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:33:48 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1747 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:33:51 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 142 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:34:48 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 55322 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:34:57 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 142 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:35:02 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 400 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:35:07 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 352 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:35:45 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 355 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:36:20 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 6923 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:36:37 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 3329 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:37:17 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 4403 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:37:28 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 379 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:38:08 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 733 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:38:13 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 390 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:38:23 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1195 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:39:39 -0500] "GET /rbteam1.jpg HTTP/1.0" 404 205 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:39:39 -0500] "GET /bandeira.gif HTTP/1.0" 404 206 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:42:45 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 4 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:42:56 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1195 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:43:12 -0500] "GET /rbteam1.jpg HTTP/1.0" 404 205 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:43:12 -0500] "GET /bandeira.gif HTTP/1.0" 404 206 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:43:25 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 766 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:43:55 -0500] "GET / HTTP/1.1" 200 1200 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:46:23 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 4 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:46:28 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:46:34 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:46:38 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 1798 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:46:55 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 64682 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:47:02 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 607 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:47:05 -0500] "GET /_vti_inf.html HTTP/1.0" 200 1716 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:47:06 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 252 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:47:11 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.0" 200 227 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:47:19 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 764 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:47:24 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1780 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:47:30 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 607 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:47:46 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 55992 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:47:57 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 607 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:49:09 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 1747 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:50:03 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 669 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:52:10 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 669 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:52:30 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 2277 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:52:51 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 296 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:53:11 -0500] "GET /rbteam1.jpg HTTP/1.0" 200 55927 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:53:18 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 297 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:53:45 -0500] "GET /bandeira.gif HTTP/1.0" 200 6766 "-" "Mozilla/2.0 (compatible; MS FrontPage 3.0)" > ascta014p151.onda.com.br - - [12/Jul/2001:02:53:50 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 801 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:54:02 -0500] "POST /_vti_bin/_vti_aut/author.exe HTTP/1.0" 200 801 "-" "MSFrontPage/3.0" > ascta014p151.onda.com.br - - [12/Jul/2001:02:54:05 -0500] "GET / HTTP/1.1" 200 1279 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" > > If you look, the attacker is using requests for "rbteam1.jpg" to see > whether he is successful. The machine in question is running solaris 8, > the webserver is apache 1.3.14 w/ the FP 2000 server extensions installed. > My question is, has anyone seen anything like this? Is this a frontpage > exploit, or something else? If it's something else, I'd sure like to know > what it is. > > Thanks > --John Jetmore > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com -- | Bryan Andersen | bryanat_private | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 16:05:03 PDT