It turned out to be a stupid (_stupid_) configuration problem. I found a scanner for the problem and ran it against our sites. 3 of ~150 frontpage enabled sites were vulnerable. As far as I can tell this was simply laxness on the part of the person who sets them up for us. (probably overfamiliarity with the process.) So, essentially, the signature below is, as someone pointed out, the normal signature of a frontpage transaction. Thanks for all of the responses. --John Jetmore On Mon, 16 Jul 2001, John Jetmore wrote: > My company has had two websites defaced within the last week. Both times > the defacement seems to take place withing frontpage. Here is the the > actual defacement taking place: > > If you look, the attacker is using requests for "rbteam1.jpg" to see > whether he is successful. The machine in question is running solaris 8, > the webserver is apache 1.3.14 w/ the FP 2000 server extensions installed. > My question is, has anyone seen anything like this? Is this a frontpage > exploit, or something else? If it's something else, I'd sure like to know > what it is. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:49:52 PDT