RE: [suse-security] Strange apache log entry
Ok, Microsoft Frontpages has several security flaws, but that does not automatically mean that every request for _vti_<whatever> is done by a hacker or a script-kiddy. Have a look at the browser the client is using, if it's "MSFrontPage/X.Y" then please don't worry. But do worry if it's the only request for a link containing _vti* or if there is only one client (if it's not a proxy) requesting this url. Watch your system, but don't worry to much. regards, Stefan Peer -----Ursprüngliche Nachricht----- Von: Soeren Todt [mailto:sworn@gmx.net] Gesendet: Donnerstag, 31. Mai 2001 15:30 An: suse-security@suse.com; Thorsten Marquardt Betreff: Re: [suse-security] Strange apache log entry Hi, ----- Original Message ----- From: "Thorsten Marquardt" <thom@kaupp.chemie.uni-oldenburg.de> To: <suse-security@suse.com> Sent: Thursday, May 31, 2001 1:45 PM Subject: [suse-security] Strange apache log entry
my logfiles reports 404 requests to /_vti_bin/shtml.exe/_vti_rpc and similar.
Is this a kind of hacker attack?
Maybe you find it out by yourself using a search engine: http://www.google.de/search?q=_vti_bin%2Fshtml.exe%2F_vti_rpc++crack&hl=de&s afe=off then you get results like this: http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html Ciao Sören --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On 31-May-01 Peer Stefan wrote:
Ok, Microsoft Frontpages has several security flaws, but that does not automatically mean that every request for _vti_<whatever> is done by a hacker or a script-kiddy.
Well, not *every* request, but there are *some*. That�s enough for being worried, isn�t it.
Have a look at the browser the client is using, if it's "MSFrontPage/X.Y" then please don't worry. But do worry if it's the only request for a link containing _vti* or if there is only one client (if it's not a proxy) requesting this url.
Watch your system, but don't worry to much.
IMHO such suggestions are somewhat misleading. At last, this is a security mailing list we�re posting in, and a certain amount of paranoia seems to be appropriate considering the current lack of (inter)network security we�re confronted with all day. Sometimes I wish some of �dem (security-)admins would be just a little more agressive towards security incidents of *any* kind, even if they (the incidents) would end up being harmless. Sorry for the rant...;)
regards, Stefan Peer
-----Urspr�ngliche Nachricht----- Von: Soeren Todt [mailto:sworn@gmx.net] Gesendet: Donnerstag, 31. Mai 2001 15:30 An: suse-security@suse.com; Thorsten Marquardt Betreff: Re: [suse-security] Strange apache log entry
Hi,
----- Original Message ----- From: "Thorsten Marquardt" <thom@kaupp.chemie.uni-oldenburg.de> To: <suse-security@suse.com> Sent: Thursday, May 31, 2001 1:45 PM Subject: [suse-security] Strange apache log entry
my logfiles reports 404 requests to /_vti_bin/shtml.exe/_vti_rpc and similar.
Is this a kind of hacker attack? [...]
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---
Hi, I've been asked to set up an external website using the following (possible) architecture. I'm looking for some good docs./sites on how to setup and use Susefirewall. My config. is as following: 1. firewall box - running Susefirewall, to do filtering/NAT 2. HTTP server 192.##.###.#1 3. Database server 192.##.###.#2 Internet Susefirewall HTTP Server Database Server -------------> 149.##.###.## <------->192.##.###.#1 <------------------------------------->192.##.###.#2 Traffic from the internet should go through the firewall and the addresses translated to the internal box ip addresses.
Peer Stefan wrote:
Ok, Microsoft Frontpages has several security flaws, but that does not automatically mean that every request for _vti_<whatever> is done by a hacker or a script-kiddy.
Thorsten talked from an apache webserver where he found the frontpage entries. (From the security point of view nobody really wants to run fp-extension running on a UNIX/Linux) So, what was the point to search FP stuff on an apache? Ciao Sören
participants (4)
-
Boris Lorenz -
Peer Stefan -
Soeren Todt -
Steve Peticca