|
|
|
|
| Miha Pihler [MVP] 2005-10-12, 6:15 pm |
| Hi Juan,
You might not have FrontPage, but it looks to me that someone (an attacker)
is checking what you are running (if you do have FrontPage) on your server.
This is usually know as "probing" the server to see if it is vulnerable to
any attacks...
--
Mike
Microsoft MVP - Windows Security
"Juan" <juan@juan.org> wrote in message
news:ugnkjqgzFHA.1856@TK2MSFTNGP12.phx.gbl...
>I found in my servers IIS this logs line
> PUT /page.htm - 200
> Microsoft+Data+Access+Internet+Publishin
g+Provider+DAV+1.1
>
> I searched and found this
> http://lists.grok.org.uk/pipermail/...ber/030467.html
>
> I don't have install FrontPage.
>
> What happend?
>
> Tks in advanced.
>
>
| |
|
|
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:ucazsFozFHA.268@TK2MSFTNGP09.phx.gbl...
> Hi Juan,
>
> You might not have FrontPage, but it looks to me that someone (an
attacker)
> is checking what you are running (if you do have FrontPage) on your
server.
> This is usually know as "probing" the server to see if it is vulnerable to
> any attacks...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>
> "Juan" <juan@juan.org> wrote in message
> news:ugnkjqgzFHA.1856@TK2MSFTNGP12.phx.gbl...
http://lists.grok.org.uk/pipermail/...ber/030467.html[vbcol=seagreen]
>
>
| |
|
| I research a little more in my server and found on my system a web page that
contains xxx contents.
You said that they was only probing. Can be posible that they have inserted
the page with that command? Did not found anything else that could do it. I
have too much suspicions about the line. How can i correct the problem?
Tks Miha..
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:ucazsFozFHA.268@TK2MSFTNGP09.phx.gbl...
> Hi Juan,
>
> You might not have FrontPage, but it looks to me that someone (an
attacker)
> is checking what you are running (if you do have FrontPage) on your
server.
> This is usually know as "probing" the server to see if it is vulnerable to
> any attacks...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>
> "Juan" <juan@juan.org> wrote in message
> news:ugnkjqgzFHA.1856@TK2MSFTNGP12.phx.gbl...
http://lists.grok.org.uk/pipermail/...ber/030467.html[vbcol=seagreen]
>
>
| |
| Miha Pihler [MVP] 2005-10-12, 6:15 pm |
| PUT command is actually equivalent of saying "save this on the server", but
I doubt the XXX page was saved on the server by action that was logged and
posted in this thread. It had to be done by some other (similar?) action.
In which folder did this page appear?
Which version if IIS do you run?
Is this publicly available IIS?
--
Mike
Microsoft MVP - Windows Security
"Juan" <juan@juan.org> wrote in message
news:u1y7aXozFHA.3152@TK2MSFTNGP10.phx.gbl...
>I research a little more in my server and found on my system a web page
>that
> contains xxx contents.
>
>
> You said that they was only probing. Can be posible that they have
> inserted
> the page with that command? Did not found anything else that could do it.
> I
> have too much suspicions about the line. How can i correct the problem?
>
> Tks Miha..
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:ucazsFozFHA.268@TK2MSFTNGP09.phx.gbl...
> attacker)
> server.
> http://lists.grok.org.uk/pipermail/...ber/030467.html
>
>
| |
|
| The page was put on home directory
IIS 5.0, Windows 2000 Server
Yes.
In this link you can found more information about this topic.
http://lists.grok.org.uk/pipermail/...ber/030467.html
I tested this exploit on my server and this work perfect, but I didn't
found a solition for the problem.
Tks again Miha.
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:Oitn7rozFHA.3836@TK2MSFTNGP10.phx.gbl...
> PUT command is actually equivalent of saying "save this on the server",
but
> I doubt the XXX page was saved on the server by action that was logged and
> posted in this thread. It had to be done by some other (similar?) action.
>
> In which folder did this page appear?
> Which version if IIS do you run?
> Is this publicly available IIS?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Juan" <juan@juan.org> wrote in message
> news:u1y7aXozFHA.3152@TK2MSFTNGP10.phx.gbl...
it.[vbcol=seagreen]
http://lists.grok.org.uk/pipermail/...ber/030467.html[vbcol=seagreen]
>
>
| |
| Miha Pihler [MVP] 2005-10-12, 6:15 pm |
| Do you have all patches installed on the server? You could (should) run MBSA
on the server to check if any of the patches are missing...
Free MBSA download
http://www.microsoft.com/technet/se...s/mbsahome.mspx
You should also go to
http://update.microsoft.com/microso...t.aspx?ln=en-us and
install any missing patches.
If you can you should upgrade to IIS 6.0.
Let me know if you need more help with this... I will also check few other
options.
--
Mike
Microsoft MVP - Windows Security
"Juan" <juan@juan.org> wrote in message
news:%23qUuXVpzFHA.3380@TK2MSFTNGP10.phx.gbl...
> The page was put on home directory
> IIS 5.0, Windows 2000 Server
> Yes.
>
> In this link you can found more information about this topic.
> http://lists.grok.org.uk/pipermail/...ber/030467.html
>
> I tested this exploit on my server and this work perfect, but I didn't
> found a solition for the problem.
>
> Tks again Miha.
>
>
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:Oitn7rozFHA.3836@TK2MSFTNGP10.phx.gbl...
> but
> it.
> http://lists.grok.org.uk/pipermail/...ber/030467.html
>
>
| |
|
|
|
|
| Miha Pihler [MVP] 2005-10-12, 6:15 pm |
| Check my other post with few options how to disable or prevent PUT command
in your IIS server.
--
Mike
Microsoft MVP - Windows Security
"Juan" <juan@juan.org> wrote in message
news:%23YQVMtqzFHA.3856@tk2msftngp13.phx.gbl...
> Yes I have all patches installed.
> "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
> news:OM%23FR8pzFHA.2312@TK2MSFTNGP14.phx.gbl...
> MBSA
> http://lists.grok.org.uk/pipermail/...ber/030467.html
> page
> problem?
> http://lists.grok.org.uk/pipermail/...ber/030467.html
>
>
| |
|
|
|
|