FrontPage Server Extensions for Windows - Forms Exploit ???

This is Interesting: Free IT Magazines  
Home > Archive > FrontPage Server Extensions for Windows > July 2005 > Forms Exploit ???





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Forms Exploit ???
gilman01

2005-07-13, 6:00 pm

For the past several days we have a client who has complained about getting
multiple submissions of their forms. In researching it appears that the same
information appears in these forms but they are coming from different IP
addresses. They are running at random times and never repeating the same IP
address.

Here is a view at some of the logs
81.240.255.226 - - [12/Jul/2005:17:02:33 -0400] "POST
/_vti_bin/shtml.exe/WN_Contact-1.htm HTTP/1.1" 200 484 "-"
"www.textron.com/testBot"
81.240.255.226 - - [12/Jul/2005:17:02:33 -0400] "POST
/_vti_bin/shtml.exe/WN_Contact-1.htm HTTP/1.1" 200 754 "-"
"www.textron.com/testBot"
81.240.255.226 - - [12/Jul/2005:17:02:35 -0400] "POST
/_vti_bin/shtml.exe/WN_Contact-1.htm HTTP/1.1" 200 594 "-"
"www.textron.com/testBot"
81.240.255.226 - - [12/Jul/2005:17:02:35 -0400] "POST
/_vti_bin/shtml.exe/WN_Contact-1.htm HTTP/1.1" 200 368 "-"
"www.textron.com/testBot"

I attempted to fool this thing by changing the name of the form but that
didn't help any. It appears to be some type of autmated process running
becasue the form results are identical each and every time (and we've had at
least a hundred at this point).

Here are the server details:
FrontPage Server Ext. Version 5.0.2.2635
O/S is Fedora i686
cPanel Version 9.9.8 R161

Has anyone else seen anything like this or have any suggestion how I can
deal with this short of removing all the forms from this site?

--
Jeff Hoffman
The Gilman Group
Tom Pepper Willett

2005-07-13, 6:00 pm

Welcome to the wonderful world of spammers.
--
===
Tom "Pepper" Willett
Microsoft MVP - FrontPage
---
About FrontPage 2003:
http://office.microsoft.com/home/of...etid=FX01085802
===
"gilman01" <gilman01@discussions.microsoft.com> wrote in message
news:6B44488A-C754-4E28-81EE-C45C27515F46@microsoft.com...
| For the past several days we have a client who has complained about
getting
| multiple submissions of their forms. In researching it appears that the
same
| information appears in these forms but they are coming from different IP
| addresses. They are running at random times and never repeating the same
IP
| address.
|
| Here is a view at some of the logs
| 81.240.255.226 - - [12/Jul/2005:17:02:33 -0400] "POST
| /_vti_bin/shtml.exe/WN_Contact-1.htm HTTP/1.1" 200 484 "-"
| "www.textron.com/testBot"
| 81.240.255.226 - - [12/Jul/2005:17:02:33 -0400] "POST
| /_vti_bin/shtml.exe/WN_Contact-1.htm HTTP/1.1" 200 754 "-"
| "www.textron.com/testBot"
| 81.240.255.226 - - [12/Jul/2005:17:02:35 -0400] "POST
| /_vti_bin/shtml.exe/WN_Contact-1.htm HTTP/1.1" 200 594 "-"
| "www.textron.com/testBot"
| 81.240.255.226 - - [12/Jul/2005:17:02:35 -0400] "POST
| /_vti_bin/shtml.exe/WN_Contact-1.htm HTTP/1.1" 200 368 "-"
| "www.textron.com/testBot"
|
| I attempted to fool this thing by changing the name of the form but that
| didn't help any. It appears to be some type of autmated process running
| becasue the form results are identical each and every time (and we've had
at
| least a hundred at this point).
|
| Here are the server details:
| FrontPage Server Ext. Version 5.0.2.2635
| O/S is Fedora i686
| cPanel Version 9.9.8 R161
|
| Has anyone else seen anything like this or have any suggestion how I can
| deal with this short of removing all the forms from this site?
|
| --
| Jeff Hoffman
| The Gilman Group


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com