Re: Tracking down the still infected hosts

From: Josh Burroughs (jburroug@lib.uaa.alaska.edu)
Date: 09/26/01 

Date: Tue, 25 Sep 2001 15:00:30 -0800 (AKDT)
From: Josh Burroughs <jburroug@lib.uaa.alaska.edu>
To: Dale Lancaster <dale@lancaster.hm>
Subject: Re: Tracking down the still infected hosts 
Message-ID: <Pine.LNX.4.33.0109251456540.6178-100000@asimov.lib.uaa.alaska.edu>

On Tue, 25 Sep 2001, Dale Lancaster wrote:
> However I am seeing new log entries that I haven't seen before:
>
> [Tue Sep 25 16:33:41 2001] [error] [client 199.26.11.171] File does not
> exist: /some/where/html/_vti_bin/shtml.exe/_vti_rpc
>
> It may just be some misconfiguration in our site, but the shtml.exe seems to
> point to something else since we don't use .exe stuff on our site. These
> are flooding my site, but we get lots of them over a day.

That's what it looks like when someone using MS Frontpage tries to
connect/upload a web site to a server with frontpage extensions installed.
If the IP's connecting are from inside your org find the offending users
and hit them with a stick ;-> Or setup redirects to goatse.cx, I'm not
sure if the frontpage client will honor a redirect but it'd be funny as
hell that has the intended effect ;->

-Josh

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com