J
Jeffrey Hopkins
Hi,
I have encountered a similar problem mentioned by another "Jeff" in his post
'Discussion Board'.
It sems to be the same problem with my forums that I use for my
internet-based college physics and astronomy classes.
I have been unable to reply to any student posts - all I can do is make
original posts (as many but not all of the students have to do now as well).
I still don't know what to do - any help would be appreciated.
Here's what I have found out thus far... When it first started acting up -
about a week ago, Norton claimed it had detected a worm with the following
message
=============================
Details:
Attempted Intrusion "HTTP IIS SHTML Request" from your machine against
discuss.midlandstech.edu(xxx.x.xxx.xx) was detected and blocked.
Intruder: EMACHINE(xxx.xxx.x.xxx)(1152).
Risk Level: Medium.
Protocol: TCP.
Atacked IP: discuss.midlandstech.edu(xxx.x.xxx.xx).
Attacked Port: http(80).
=============================
So I contacted our webmaster at the college and they did a scan and indeed
found a worm, but they have not figured out why I can no longer reply to
posts, so I looked up the "HTTP IIS SHTML Request" and found this
information from the Symantec security of attack signatures
(http://securityresponse.symantec.com/avcenter/attack_sigs/) for "HTTP IIS
SHTML Request"
(http://securityresponse.symantec.com/avcenter/attack_sigs/s20350.html).
HTTP IIS SHTML Request
Severity: Medium
This attack could pose a moderate security threat. It does not require
immediate action.
Description
This signatures detects requests made to the shtml.exe or shtml.dll files
on the webserver.
Additional Information
There are two different vulnerabilities associated with these files. The
first being an information disclosure issue and the second is a denial
service. Below is an explanation of both vulnerabilities.
The first vulnerability deals with the local path of a HTML, HTM, ASP, or
SHTML file can be disclosed in Microsoft IIS 4.0/5.0 / Frontpage Server
Extensions 1.1 and prior. Passing a path to a non-existent file to the
shtml.exe or shtml.dll (depending on platform) program will display an error
message stating that the file cannot be found accompanied by the full local
path to the web root. For example, performing a request for
http://target/_vti_bin/shtml.dll/non_existant_file.html will produce an
error message stating "Cannot open "C:\localpath\non_existant_file.html": no
such file or folder"
The second vulnerability makes it possible to remotely crash a system
running Microsoft FrontPage Server Extensions by conducting a URL request
for a MS-DOS device through shtml.exe. For example, the following URL
requests will crash FrontPage Server Extensions:
http://target/_vti_bin/shtml.exe/comX.htm (X being one of 1, 2 ,3, or 4;
the device must exist on the target machine)
http://target/_vti_bin/shtml.exe/prn.htm
http://target/_vti_bin/shtml.exe/aux.htm
The device name must have an appended extension in order for the exploit
to work. In addition to the HTM extension, ASP will work as well. Restarting
IIS or rebooting the system is required in order to regain normal
functionality.
Testing has shown that it may require a constant stream of these requests
in order to render the server ineffective.
Affected:
Microsoft FrontPage 2000 Server Extensions SR 1.0
Microsoft FrontPage Server Extensions Module for Apache 3.0.4
Microsoft IIS 4.0, 5.0
Response
Both of these vulnerabilities have been corrected in Microsoft FrontPage
Server Extensions SR1.2
This update can be downloaded from the following locations:
For Microsoft FrontPage 2000 Server Extensions SR 1.0:
Microsoft Patch FrontPage Server Extensions SR2
For Microsoft FrontPage Server Extensions Module for Apache 3.0.4:
Microsoft Patch FrontPage Server Extensions SR2
For Microsoft IIS 4.0:
Microsoft Patch FrontPage Server Extensions SR2
For Microsoft IIS 5.0:
Microsoft Patch FrontPage Server Extensions SR2
Possible False Positives
There are no known false positives associated with this signature.
Additional References
a.. SecurityFocus BID: 1174
b.. CAN-2000-0413
--
Thanks,
Jeffrey
Beneath South Carolina skies and clouds
I have encountered a similar problem mentioned by another "Jeff" in his post
'Discussion Board'.
It sems to be the same problem with my forums that I use for my
internet-based college physics and astronomy classes.
I have been unable to reply to any student posts - all I can do is make
original posts (as many but not all of the students have to do now as well).
I still don't know what to do - any help would be appreciated.
Here's what I have found out thus far... When it first started acting up -
about a week ago, Norton claimed it had detected a worm with the following
message
=============================
Details:
Attempted Intrusion "HTTP IIS SHTML Request" from your machine against
discuss.midlandstech.edu(xxx.x.xxx.xx) was detected and blocked.
Intruder: EMACHINE(xxx.xxx.x.xxx)(1152).
Risk Level: Medium.
Protocol: TCP.
Atacked IP: discuss.midlandstech.edu(xxx.x.xxx.xx).
Attacked Port: http(80).
=============================
So I contacted our webmaster at the college and they did a scan and indeed
found a worm, but they have not figured out why I can no longer reply to
posts, so I looked up the "HTTP IIS SHTML Request" and found this
information from the Symantec security of attack signatures
(http://securityresponse.symantec.com/avcenter/attack_sigs/) for "HTTP IIS
SHTML Request"
(http://securityresponse.symantec.com/avcenter/attack_sigs/s20350.html).
HTTP IIS SHTML Request
Severity: Medium
This attack could pose a moderate security threat. It does not require
immediate action.
Description
This signatures detects requests made to the shtml.exe or shtml.dll files
on the webserver.
Additional Information
There are two different vulnerabilities associated with these files. The
first being an information disclosure issue and the second is a denial
service. Below is an explanation of both vulnerabilities.
The first vulnerability deals with the local path of a HTML, HTM, ASP, or
SHTML file can be disclosed in Microsoft IIS 4.0/5.0 / Frontpage Server
Extensions 1.1 and prior. Passing a path to a non-existent file to the
shtml.exe or shtml.dll (depending on platform) program will display an error
message stating that the file cannot be found accompanied by the full local
path to the web root. For example, performing a request for
http://target/_vti_bin/shtml.dll/non_existant_file.html will produce an
error message stating "Cannot open "C:\localpath\non_existant_file.html": no
such file or folder"
The second vulnerability makes it possible to remotely crash a system
running Microsoft FrontPage Server Extensions by conducting a URL request
for a MS-DOS device through shtml.exe. For example, the following URL
requests will crash FrontPage Server Extensions:
http://target/_vti_bin/shtml.exe/comX.htm (X being one of 1, 2 ,3, or 4;
the device must exist on the target machine)
http://target/_vti_bin/shtml.exe/prn.htm
http://target/_vti_bin/shtml.exe/aux.htm
The device name must have an appended extension in order for the exploit
to work. In addition to the HTM extension, ASP will work as well. Restarting
IIS or rebooting the system is required in order to regain normal
functionality.
Testing has shown that it may require a constant stream of these requests
in order to render the server ineffective.
Affected:
Microsoft FrontPage 2000 Server Extensions SR 1.0
Microsoft FrontPage Server Extensions Module for Apache 3.0.4
Microsoft IIS 4.0, 5.0
Response
Both of these vulnerabilities have been corrected in Microsoft FrontPage
Server Extensions SR1.2
This update can be downloaded from the following locations:
For Microsoft FrontPage 2000 Server Extensions SR 1.0:
Microsoft Patch FrontPage Server Extensions SR2
For Microsoft FrontPage Server Extensions Module for Apache 3.0.4:
Microsoft Patch FrontPage Server Extensions SR2
For Microsoft IIS 4.0:
Microsoft Patch FrontPage Server Extensions SR2
For Microsoft IIS 5.0:
Microsoft Patch FrontPage Server Extensions SR2
Possible False Positives
There are no known false positives associated with this signature.
Additional References
a.. SecurityFocus BID: 1174
b.. CAN-2000-0413
--
Thanks,
Jeffrey
Beneath South Carolina skies and clouds