[Dshield] PROPFIND?

Paul Marsh pmarsh at nmefdn.org
Fri Jun 6 12:07:39 GMT 2003


If you have not already done so please load URLScan onto your IIS box http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/URLScan.asp

-----Original Message-----
From: Rohit Dhamankar [mailto:rohitd at tippingpoint.com]
Sent: Friday, June 06, 2003 7:54 AM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] PROPFIND?


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Walter,
The IIS on Windows 2000/XP enables webDAV methods like PROPFIND, SEARCH etc.
by default and is vulnerable to a buffer overflow in the webDAV methods.
The logs may be a due to a request like "PROPFIND / HTTP/1.1" which the
server generated the response code 207. Many exploits will send the overflow
code after this basic check.
For more details look at:
http://www.securityfocus.com/bid/7116

Rohit



- -----Original Message-----
From: walter woodrow [mailto:oopicwow at yahoo.com]
Sent: Thursday, June 05, 2003 10:48 PM
To: list at dshield.org
Subject: [Dshield] PROPFIND?


I wonder if anyone can explain what someone might be trying to do.  Here is
an entry from my IIS log.
 
ClientHost Username LogTime  Service Machine ServerIP ProcessingTime
BytesRecvd BytesSent ServiceStatus ServiceStatusDesc Win32Status Operation
Target Parameters  
207.61.18.40 -  6/5/2003 8:22 W3SVC1 Server X.X.X.X  578  84  956  207
WebDAV Multi-Status 0  PROPFIND / -  

I looked up the Propfind, but am still not sure why someone would be using
it at my site?  I figured someone trying to find a hole in IIS.
 
Thanks,
Walter


- ---------------------------------
Do you Yahoo!?
Free online calendar with sync to Outlook(TM).
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPuCA1XAfgHNgKPA3EQL8fQCdHzedQUum1Sl4euG1+hI0I1RAzq0AoPNH
MN2pZkAtFjXGGqdhhuo+iNN/
=Y1Nf
-----END PGP SIGNATURE-----
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list