Printable View
know its vulnreble... some password files lieng there you can grab... what passwords?
remote login and authoring without a login and password to frontpage??? or what?
and for what scans frontpage.pl by bansh33 of r00tabega ?
coz it found this thingy on my iis, so i would like to read more about the vuln in bugtrq/security focus etc or any other source that i could understand what are the riscks and how patch and stuff.
what version of IIS and Frontpage extensions are you running? If you have all of the patches from Windows Update, you should not be vunerable to any authentication or directory traversal attacks.
If you are worried about Front Page Extension vulnerabilities, check out Microsoft for patches or keep an eye out for new sploits that crop up.
A good place to go is http://www.securityfocus.com/microsoft
I wish you the best of luck in this matter; however, you are not very clear in your inquiry. Please reiterate the question if possible.
Jack
The passwords that can get grabbed are the FrontPage administrator passwords for making changes too or even building a web site. This can be done remotly. In un-patched versions no user name or password is required if none have been entered.
IIS FrontPage extensions are installed by default so even if one is wise enough not to use front page to build the site the extensions may still allow someone using FrontPage remotely to do anything they want to your site.
A friend of mine built a site with dream weaver. He asked me to check the security on it. The first thing I did was open it in FrontPage. The login box came up and I hit enter without filling it in. So I renamed his index page and put one of my own in and saved the changes. He was rather embarrassed and I was sorry after I did it for acting like an ass instead of just telling him. but at least the whole world and the boss didn’t see it.
Passwords (sometimes) and the local drive and path to the web directory can be read with an html GET request to the correct file.
Frontpage.pl takes a list of servers, previously gotten by scanning an IP range for port 80 then loops through threw them looking for IIS servers that are un-patched. It doesn’t attempt to hack into them just tells you which ones they are. If you apply the patches (old ones at that) it will close these holes but chances are if your server was un-patched for these 2, your probably open to the Unicode exploit. More than likely your computer has been owned by a few others. And more than likely has a Trojan or two feeling quite at home there. You might find some full-length movies in rar file format buried deep in the winnt directory or some porn and some warez if your on broadband.
If I were you Id download the latest service pack for your machine burn them onto cd, format re-install, then apply the service pack before I reconnected the machine to the internet. Then go and get any hot fixes that weren’t on it, from the ms update site.
another site to check is http://www.packetstormsecurity.org/
lol Tedob1
my i installed the iis on my win2k just for security seasons i test on it vulns and bugs to learn more about them.
i got iis 5 on win2k sp2 (yeah sp4 is out but im on 56k so i will keep for a while with sp2)
and i didnt patched anything
my iis is always down and only when i wanna test something i run it
and i was almost owned once from israelian dude from the same isp as i do
he used tftp (forgot to delete it) and he was upping some trojan so my antivirus notified my...
i just formatted then and didnt installed firewall yet... well i noticed my 56k being extremly slow the hacker fed up upping the files becouse my conection was so slow
well to bad for him...
and i know how pubstro hacking works... 99% only knows iis unicode\decode and they use tftp... usually with servu named servudaemon... i would notice if i had such thing im not a wanna be sysop...
now about frontpage... will see with the blank login
wonder for what the frontpage.pl perl script looks for (what file?)
last thing, not really conected but if you kinda mentioned it in unicode/decode if i wanna echo the "=" (i was bored once and tried echo some nonse spam) character how i do it? becouse it didnt worked for me on my server
this is the string frontpage.pl sends:
send(CLIENT,"GET /_vti_inf.html HTTP/1.0\n\n",0);
but the file thats needed is service.pwd
try %3D or %3D% not sure
servudeamon is standard ftp not trivial but your right you would see it amoung the proceses running. your first post gave no indication of what you knew
yeah you will see servu running but usually hackers will change his name to some system process to be unnoticed the favourite is winmgmt... why? becouse there is a tutorial about hacking iis andd it sais to change your servu to this name... well some idiot script kiddies got typos and call it winmgNt...
anyway i will noticed that something wrong becouse my 56k would get even slower :D
anyway i got _vti_inf.html but didnt found service.pwd
also tried that blank login but it wasnt succesful due to the fact that i couldnt find in ms frontpage 2000 somwhere something that conected to remote authoring...
you said you modified your friends main page well can you tell me please where is this option is hiding?
did the tut mention how to keep the icon from showing up in systray...now thats funny...i wonder what that big green U is?
its "open web" but in IE its an icon on the tool bar which automatically opens the web page in the default editor
hmmm the green U is of the servu administrator program (versions above 2.5x)
in versions below 3.0 there is a green U but you can hide it with the /h parameter.
anyway to the point... in IE i got only edit with notepad,excel and word...
when i do open web it opens my local computer, but it suposed to be remote... so i want to open it as localhost 127.0.0.1 and not simply a file from the hard disk. am i wrong?
that wasn't really a question. ive seen it get installed with the icon in the task tray. i thought it was funny
but anyway go to tool>>programs and select it as your html editor
hmm i knew that this was the problem... i didnt said to fp2k to be the deafult editor becouse of that it ddnt showed up... (dreamweaver is better)
anyway i was playing around and found the import wizard even though i didnt understand from where it import files i ran it and it asked for author pass... well i tried blank passs but no luck then my login pass to the nt box (im member of the admin group but the username isnt administrator) and then it got in and imported... how could it be i didnt configured frontpage server extensions so there should be a blank login isnt it?
but i didnt figured out how to save for example 127.0.0.1/test.htm that i opened to edit to save it on the server and not on the hard disk,,,
btw sorry for bothering you and asking so much
winmgnt is a packed version of serv-u 3 with stripped "green U"Quote:
Originally posted here by CraZy_AhmaD
yeah you will see servu running but usually hackers will change his name to some system process to be unnoticed the favourite is winmgmt... why? becouse there is a tutorial about hacking iis andd it sais to change your servu to this name... well some idiot script kiddies got typos and call it winmgNt...
it comes with 2 or 3 dll files including the NIMDA worm.
so running the winmgnt it sets the worm free if the dll files exists.
btw. it's out of date and any av software should recognize it.
(some av tools find any servu 3 version as virus.)