Re: possible frontpage exploit?

From: Raul Dias (chaosat_private)
Date: Mon Jul 16 2001 - 15:44:06 PDT

  • Next message: Doug Nelson: "Re: Attempted WEB-IIS printer attempt Buffer Overflow"

    >
    >My company has had two websites defaced within the last week.  Both times
    >the defacement seems to take place withing frontpage.  Here is the the
    >actual defacement taking place:
    
    >ascta014p151.onda.com.br - - [12/Jul/2001:02:54:05 -0500] "GET / HTTP/1.1" 200 1279 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
    >
    >If you look, the attacker is using requests for "rbteam1.jpg" to see
    >whether he is successful.  The machine in question is running solaris 8,
    >the webserver is apache 1.3.14 w/ the FP 2000 server extensions installed.
    >My question is, has anyone seen anything like this?  Is this a frontpage
    >exploit, or something else?  If it's something else, I'd sure like to know
    >what it is.
    >
    >Thanks
    >--John Jetmore
    
    You should try to contact Onda.
    Onda is a ISP here in Brazil.  
    Unfortunally it is not too resposible for the action of its users
    we have a few incidents with tham and Onda doesn't really care.
    
    Anyways, here are they number:
    (55) -  0800-437878   (toll free)
    (55) - 41 - 322-7766
    
    Good luck.
    
    -Raul Dias
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 16:07:05 PDT