Results 1 to 6 of 6

Thread: Hackec via Frontpage Extensions

  1. #1
    Junior Member
    Join Date
    Oct 2001
    Posts
    1

    Question Hackec via Frontpage Extensions

    Has anyone ever had a hacker attack their site by using the Frontpage extensions? One of my web sites was hacked that has some Frontpage extensions and it was suggested that this maybe the way the hacker got into the site. What would I look for in the web log or event log that would tell me if they used the Frontpage extensions. The hacker left the message "Hacked by NT_Xtract aka NTFX of UKb0x Crew", anyone familiar with their hacking tactics? Thanks in Advance!

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    196
    from http://www.insecure.org/sploits_microshit.html

    There are many horrible security holes in the Microsoft Frontpage extensions. For example, you can list all files in directories on FP enabled sites, you can download password files on many of them, and a lot of FP sites even let you UPLOAD your own password files (!).
    Now, I'm not going to get on a microsoft bashing soap box, but the first you should check is to see if the password files were modified in some way. See if an IP is attached to that as well. I've read many articles detailing security problems with Frontpage extensions, so the question is are you using the latest version, patches, hot fixes, etc?

  3. #3
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    Lightbulb Hacker Profiling

    Hehe JP, AO's Hacker Profiling-section actually works!
    My new motto: In God I trust, the rest I check...

    Destiny7, your 'hacker' is on dial-up, from the UK as he stated (dialup.lineone.co.uk), and is aka NTFX - NT_Xtract - signature NOGyQ.
    Guess this doesn't help you, but on Thursday, October 11, 2001 at 17:21, his IP was 213.123.60.59.

    Here is some stuff that might interest you:

    http://www.livejournal.com/users/ntfx/ :the link between NTFX and NT_Xtract.

    http://www.hackuk.f2s.com/: his homepage ( Apache/1.3.19 Server at www.hackuk.f2s.com Port 80).

    His email: NTX@SpyModem.Com


    Note: I spent a long time doubting about whether to post this or not, but I guess if you deface a website and don't cover your tracks, well, you should face the consequences.

  4. #4
    Senior Member
    Join Date
    Jul 2001
    Posts
    196
    I wish I had more antipoints to give you Good thing he doesn't live in the US, might go to prison forever

  5. #5
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Let me add one more thing: the only appropriate step to resolve this issue, is sending an abuse-mail to his provider...
    (Just in case 3l33t people like KaKoKoOl would consider 'let the punishment fit the crime'-stuff...)

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    111
    hello

    first of all you have to check your webserver machine for logs
    from the internet guest account that you use for the webserver
    for default is IUSR_NameOfYourmachine . check what script have they used

    if you have IIS 5 then check about this

    http://HOST/scripts/..%c1%9c../winnt....exe?/C+dir+C: (or any exe file)

    and things like this
    make a patch to your IIS

    and get rid of microsoft frontpage extension (is a **** )
    If God had intended
    Man to program,
    we would be born
    with serial I/O ports.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •