jstewart at lurhq.com
Fri Jun 6 13:17:07 GMT 2003
On Thursday 05 June 2003 11:48 pm, walter woodrow wrote:
> I wonder if anyone can explain what someone might be trying to do. Here is
> an entry from my IIS log.
> ClientHost Username LogTime Service Machine ServerIP ProcessingTime
> BytesRecvd BytesSent ServiceStatus ServiceStatusDesc Win32Status Operation
> Target Parameters 18.104.22.168 - 6/5/2003 8:22 W3SVC1 Server X.X.X.X 578
> 84 956 207 WebDAV Multi-Status 0 PROPFIND / -
This may be someone running the KaHT exploit against your server. It would be
followed up by a "SEARCH /" and some shellcode if the propfind request shows
you are running IIS with WebDav enabled.
Joe Stewart, GCIH
Senior Intrusion Analyst
More information about the list