# Hack Attempt: POST /_vti_bin/_vti_aut/fp30reg.dll

## Bob P

i noticed an interesting entry in my http server's logs this afternoon:

```
24.125.98.245 - - [21/Apr/2005:20:02:51 +0000] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 0 "" ""
```

i googled for fp30reg.dll and found that its an attempt to exploit a Microsoft FrontPage 2000 Server Extensions Buffer Overflow Vulnerability.

i guess the question that comes along next is what i should do about it.  i'm not running MS Frontpage 2000 Server -- I'm running a tiny secure http server in a chrooted gentoo environment on read-only media.

the ip address belongs to comcast cable.  i've alreadyconfigured my firewall to drop future packest from this bozo.

so who would you recommend to notify next?   do the Network Abuse and Policy Observance people at comcast take this kind of problem seriously?

----------

## mcspiff

Its probably just a zombie windows pc.

----------

## Bob P

sheesh.  here's another Comcast customer:

```

24.17.13.48 - - [21/Apr/2005:21:22:54 +0000] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir HTTP/0.9" 404 0 "" ""
```

----------

## quag7

Dozens of these a day - sometimes hundreds - show up in one of my web server's logs.  As mcspiff pointed out, it's probably just a zombie windows PC.  I just ignore these attempts.  Most machines will just move on, failing to exploit anything.  Infected machines come and go - tracking these kinds of things down is not something I have time for.  It's a sad state of affairs, really.  It's good you're watching your logs though.

----------

## Bob P

its funny... i never got hit by these things until i modified my robots.txt file to allow indexing by the search engines.  i don't know if its a coincidence or not, but it seems that these guys' arrival is closely correlated with my site's appearance in the search engines.  i wonder if these malware programs utilize the search engines, or of they just scan IPs sequentially and the timing of their appearance is nothing more than a coincidence.

----------

## mekong

Ah yes, why scan the whole subnet for a http server, while you could search for webservers on google  :Smile: 

I think some of those script of known php forums awstat.. etc exploits found victims by search engine.

----------

## Bob P

crafty bastids.  :Twisted Evil: 

----------

## christsong84

 *Bob P wrote:*   

> crafty bastids. 

 

I get a lot of those on my little servers too (most of them originate from an australia set of ips strangely enough)...awstats is the most common thing they try on me (I never really installed it...yay for me I guess  :Razz:  ), followed by microsoft WebDAV server exploits (running webDAV on a development box for people at work...except...it's not a Microsoft server...)

and I get some strange sort of joy watching them try...perhaps I'm just twisted:twisted:

----------

