Incidents
Website Defacement Jun 07 2006 01:49PM
killy (killfactory gmail com) (1 replies)
Hi everyone,

Here is a peice of an IIS 6 log file of a recently defaced site.

##after a few failed attempts this one was successful
2006-05-25 04:57:20 POST /_vti_bin/shtml.dll/_vti_rpc - -
200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 349
2006-05-25 04:57:20 POST /_vti_bin/_vti_aut/author.dll - -
200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 1107
2006-05-25 04:57:25 POST /_vti_bin/shtml.dll/_vti_rpc - -
200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 348
2006-05-25 04:57:25 POST /_vti_bin/_vti_aut/author.dll - -
200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 1189

## here comes zone-h about a minute later
2006-05-25 04:58:01 GET /Default.htm - - 213.219.122.11 HTTP/1.0
Wget/1.9.1 - 200 1930
2006-05-25 04:58:03 HEAD /Default.htm - - 213.219.122.11 HTTP/1.0
Sprint+(safemode.org) - 200 355

I know that this is somewhat a joke of an attack.

The ftp logs were missing for this day and a few days after.

I traced the Ip to a Brazilian ISP. The group is called "SPYKIDS".
They have many defacements credited to them.

Here is my question. Where else can I find evidence on the server to
support my findings.

Findings: Exploited vulnerability in FrontPage extentions

I have not been to the server I have only reviewed the IIs logs at this point.

This server was not in the path of IDS or even in a DMZ. The internal
network is one flat segment. Client and servers on the same segment.

During my log review I found many attempts using different techniques
to gain a foothold on this server via IIS.

My other concern is how long was it vulnerable. Was this the first
attacker to leave his calling card?

Has it compromised for a long time?

Being the devil's advocate that I am, I could ask alot of questions.

If anyone has dealt with this particular attack before or performed it
;-) please shed a little more light for me.

TIA - secret_squirrel

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas.
World renowned security experts reveal tomorrow.s threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
Re: Website Defacement Jun 14 2006 12:34PM
Jan Reilink (janreilink vevida com)


 

Privacy Statement
Copyright 2010, SecurityFocus