Security Incidents mailing list archives
Re: Tracking down the still infected hosts
From: Nicole Haywood <N.Haywood () isu usyd edu au>
Date: Wed, 26 Sep 2001 11:03:24 +1000
It could be related to the Microsoft IIS shtml.exe path disclosure vulnerability A search on the web for shtml.exe and vulnerability came up with the following. But it's also over a year old, so probably isn't too much of a problem with a correctly patched IIS server. The local path of HTML, HTM, ASP, and SHTML files can be exposed under Microsoft IIS 4.0 and 5.0. Requesting a non-existent file from shtml.exe will result in error message that discloses the full local path to the web root. Details Vulnerable systems: - Microsoft IIS 5.0 - Microsoft IIS 4.0 Exploit: A URL such as: http://www.example.com/_vti_bin/shtml.exe/non-existent-file.html http://www.example.com /_vti_bin/shtml.exe/non-existent-file.htm http://www.example.com /_vti_bin/shtml.exe/non-existent-file.shtml http://www.example.com /_vti_bin/shtml.exe/non-existent-file.asp Will reveal the real path of the web server to an attacker. This information can later be used in further attacks. URL: http://www.securiteam.com/windowsntfocus/5NP0J0U1FO.html At 15:00 25/09/01 -0800, Josh Burroughs wrote:
On Tue, 25 Sep 2001, Dale Lancaster wrote:However I am seeing new log entries that I haven't seen before: [Tue Sep 25 16:33:41 2001] [error] [client 199.26.11.171] File does not exist: /some/where/html/_vti_bin/shtml.exe/_vti_rpc It may just be some misconfiguration in our site, but the shtml.exe seems to point to something else since we don't use .exe stuff on our site. These are flooding my site, but we get lots of them over a day.That's what it looks like when someone using MS Frontpage tries to connect/upload a web site to a server with frontpage extensions installed. If the IP's connecting are from inside your org find the offending users and hit them with a stick ;-> Or setup redirects to goatse.cx, I'm not sure if the frontpage client will honor a redirect but it'd be funny as hell that has the intended effect ;-> -Josh ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Nicole Haywood Phone: +61 2 93515504 Network Security Officer Fax: +61 2 93515001 University of Sydney Email: N.Haywood () isu usyd edu au ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Tracking down the still infected hosts, (continued)
- RE: Tracking down the still infected hosts Martinez, Simon (Sep 24)
- RE: Tracking down the still infected hosts Fulton L. Preston Jr. (Sep 24)
- RE: Tracking down the still infected hosts Ryan McDonnell (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Tina Bird (Sep 25)
- Re: Tracking down the still infected hosts Skip Carter (Sep 25)
- Re: Tracking down the still infected hosts Kyle R. Hofmann (Sep 25)
- Re: Tracking down the still infected hosts Dale Lancaster (Sep 25)
- Re: Tracking down the still infected hosts Duncan Hill (Sep 25)
- Re: Tracking down the still infected hosts Josh Burroughs (Sep 25)
- Message not available
- Re: Tracking down the still infected hosts Nicole Haywood (Sep 25)
- Re: Tracking down the still infected hosts Ryan Russell (Sep 25)