Mar
30
2010

Microsoft FrontPage Exploit Attempts

Someone on a local comcast.net machine:

$ traceroute 75.72.0.20
traceroute to 75.72.0.20 (75.72.0.20), 64 hops max, 40 byte packets
...
11  te-0-3-0-5-ar01.roseville.mn.minn.comcast.net (68.86.91.186)  38.256 ms  49.556 ms  49.310 ms
12  te-0-1-0-0-ar01.crosstown.mn.minn.comcast.net (68.87.174.218)  72.147 ms  66.879 ms  73.369 ms
13  te-8-1-ur02.pillsbury.mn.minn.comcast.net (68.86.232.86)  70.672 ms  73.403 ms  75.239 ms
14  ge-4-1-0-ten01.pillsbury.mn.minn.comcast.net (68.85.164.206)  78.400 ms  76.518 ms  72.266 ms
15  c-75-72-0-20.hsd1.mn.comcast.net (75.72.0.20)  75.868 ms  80.111 ms  86.035 ms

Is attempting to use an old Microsoft FrontPage remote administration tool exploit to cause a buffer overflow and gain access to my server. This is what it looks like in the Apache log file:

0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 546 "-" "-"
75.72.0.20 - - [29/Mar/2010:15:15:47 -0500] "GET / HTTP/1.0" 200 11988 "-" "-"
75.72.0.20 - - [29/Mar/2010:15:16:18 -0500] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 20680 "-" "-"

This is a known problem and it would be considerably more annoying if I were running FrontPage and/or IIS. All it does on my machine is dump my Apache processes and drive my systems loads through the roof.Effectively a DOS attack.

One of the canonical remedies simply redirects the requests to microsoft.com:

<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com/
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com/
</IfModule>

There is humor in this, though the right thing to do would be a redirect to a local 404.html file. This should effectively stop the propagation of the exploit.

(See also: linuxquestions.com: security)

Written by kunau in: LINUX

[RSS]

Leave a Reply

You must be logged in to post a comment.

Powered by WordPress. 24 queries in 3.674 seconds.