October 11th, 2001, 09:39 PM
Hackec via Frontpage Extensions
Has anyone ever had a hacker attack their site by using the Frontpage extensions? One of my web sites was hacked that has some Frontpage extensions and it was suggested that this maybe the way the hacker got into the site. What would I look for in the web log or event log that would tell me if they used the Frontpage extensions. The hacker left the message "Hacked by NT_Xtract aka NTFX of UKb0x Crew", anyone familiar with their hacking tactics? Thanks in Advance!
October 11th, 2001, 10:00 PM
Now, I'm not going to get on a microsoft bashing soap box, but the first you should check is to see if the password files were modified in some way. See if an IP is attached to that as well. I've read many articles detailing security problems with Frontpage extensions, so the question is are you using the latest version, patches, hot fixes, etc?
There are many horrible security holes in the Microsoft Frontpage extensions. For example, you can list all files in directories on FP enabled sites, you can download password files on many of them, and a lot of FP sites even let you UPLOAD your own password files (!).
October 12th, 2001, 06:09 PM
Hehe JP, AO's Hacker Profiling-section actually works!
My new motto: In God I trust, the rest I check...
Destiny7, your 'hacker' is on dial-up, from the UK as he stated (dialup.lineone.co.uk), and is aka NTFX - NT_Xtract - signature NOGyQ.
Guess this doesn't help you, but on Thursday, October 11, 2001 at 17:21, his IP was 220.127.116.11.
Here is some stuff that might interest you:
http://www.livejournal.com/users/ntfx/ :the link between NTFX and NT_Xtract.
http://www.hackuk.f2s.com/: his homepage ( Apache/1.3.19 Server at www.hackuk.f2s.com Port 80).
His email: NTX@SpyModem.Com
Note: I spent a long time doubting about whether to post this or not, but I guess if you deface a website and don't cover your tracks, well, you should face the consequences.
October 12th, 2001, 07:04 PM
I wish I had more antipoints to give you Good thing he doesn't live in the US, might go to prison forever
October 12th, 2001, 07:19 PM
Let me add one more thing: the only appropriate step to resolve this issue, is sending an abuse-mail to his provider...
(Just in case 3l33t people like KaKoKoOl would consider 'let the punishment fit the crime'-stuff...)
October 13th, 2001, 08:00 AM
first of all you have to check your webserver machine for logs
from the internet guest account that you use for the webserver
for default is IUSR_NameOfYourmachine . check what script have they used
if you have IIS 5 then check about this
http://HOST/scripts/..%c1%9c../winnt....exe?/C+dir+C: (or any exe file)
and things like this
make a patch to your IIS
and get rid of microsoft frontpage extension (is a **** )
If God had intended
Man to program,
we would be born
with serial I/O ports.