linuXploit_crew attacked my WEB Server using FrontPage Extensions

My test WWW site (hosted on Windows XP) recently had the start page replaced by a page that includes the following text in the first line:

[linuXploit_crew]

The full HTML of this file is included at the bottom of this post.

The offending files were written on 17-Oct-2008 [UTC +11]

Examination of the IIS log file (ex011016.log) shows that the files were put in place (POSTed) via author.dll which is part of the FrontPage extensions.

I have uninstalled FrontPage extensions using

Control Panel -> Add Remove Programs -> Windows Components ->
   IIS -> Details ->

I suggest you do the same.

The offending HTML

<html>
<head>
<title>linuXploit_crew</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF">
<div align="center"> 
  <p>[linuXploit_crew]</p>
  <p>O grupo linuXploit_crew foi criado em 05/04/2007. </p>
  <p>Os membros da época Hualdo / c0d3_bl4ck_ninja / _seri4l_kill3r_ / 
    lordx / derf-</p>

  <p>Atualmente ano de 2008 tem Hualdo / derf- e o lordx que voltou ao grupo e 
    _Seri4l_Kill3r_ esta off</p>
  <p>O nome você criado meio na loucura e sem frescuras</p>
  <p>Na época foi criado devido a revolta contra o grupo core-project um 
    membro antigo do grupo core-project se achou o grande hacker so porque catavamos 
    maquinas windows e disse que não aceitava isso porém estranhamente 
    eles mesmos criarão 1 ferramenta para catar pdw</p>
  <p>Um dos motivos de aparacer mais um grupo brasileiro defacers é não 
    aceitar postar subdir em nome do grupo ou seja somente página principal 
    alterada ou seja a index</p>

  <p>Sempre acreditei que deface é a pagina principal alterada e não 
    www.site.com/blablabla.htm lembro do site alldas somente index alteradas porém 
    um dia acabou o alldas</p>
  <p>Entrava em cena o site zoneh muito bom no começo depois de um tempo 
    começou aparecer grupos postando /subdir na grande maioria turcos e 
    chineses postando para crescer no hank</p>
  <p> linuXploit_crew não é o melhor ou pior somente tentando fazer 
    a diferença nos defacers</p>

  <p>-----------------------------------------------------------------------------------------------------------------</p>
  <p>The group was created linuXploit_crew on 05/04/2007. </p>
  <p>Members of the season Hualdo / c0d3_bl4ck_ninja / _seri4l_kill3r_ / lordx 
    / derf - </p>
  <p>Currently year 2008 has Hualdo / derf-lordx and he has returned to the group 
    and _Seri4l_Kill3r_ This off </p>
  <p>The name was created in madness and a half without fanciness </p>
  <p>At the time it was created due to revolt against a group core-project former 
    member of the core group-project found the hacker so great because windows 
    machines and said it did not accept it but strangely themselves create 1 tool 
    to attract PDW </p>

  <p>One of the reasons come from another group Brazilian defacers is not post 
    SUBDIR accept on behalf of the group or whether only main page changed ie 
    the index I have always believed that deface and the main page changed and 
    not www.site.com / blablabla.htm remember the site alldas index only changed 
    but a day just to alldas</p>
  <p> Entered the scene at the site zoneh very good start after a while groups 
    began appearing posting / SUBDIR mostly Turkish and Chinese posting to grow 
    in the Hank </p>
  <p>linuXploit_crew is not better or worse just trying to do the difference in 
    defacers</p>
  <p>:: Membros:: </p>
  <p>Hualdo - _Seri4l_Kill3r_ - DeRf- - LordX </p>
  <p>Greetz Elite Top Team - OutLaw - Spykids - Red Eye - H4ckersBr </p>

  <p> </p>
  <p> </p>
</div>
</body>
</html>

Technorati Tags: linuxploit_crew,FrontPage Extensions exploit,XP exploit,IIS exploit