[Dshield] FrontPage Configuration Probe

James C Slora Jr Jim.Slora at phra.com
Tue Nov 26 17:17:42 GMT 2002


I got a set of HTTP probes I haven't seen before.

The first probe (an empty GET - the default web page) is very common and
would of course help identify the server type and version. The second probe
would be useful in identifying servers running FrontPage Server Extensions
(FPE) and in directing an attack on a server that had tried to use security
through obscurity by moving the extensions to another directory.

This is not a directory traversal attempt. The _vti_inf.html contains
directory locations and client configuration information for FPE. It was not
an accidental connection attempt by a FrontPage client, because it swept the
subnet.

Alternative explanations about how this probe might help an attacker?

11/26/02-16:13:07 210.52.12.7:3350 -> myhost:80 TCP
GET / HTTP/1.1..Host: xx.xx.xx.xx
GET /_vti_inf.html HTTP/1.1..Host: xx.xx.xx.xx




More information about the list mailing list