[Dshield] PROPFIND?

Joe Stewart jstewart at lurhq.com
Fri Jun 6 13:17:07 GMT 2003


On Thursday 05 June 2003 11:48 pm, walter woodrow wrote:
> I wonder if anyone can explain what someone might be trying to do.  Here is
> an entry from my IIS log.
>
> ClientHost Username LogTime  Service Machine ServerIP ProcessingTime
> BytesRecvd BytesSent ServiceStatus ServiceStatusDesc Win32Status Operation
> Target Parameters 207.61.18.40 -  6/5/2003 8:22 W3SVC1 Server X.X.X.X  578 
> 84  956  207  WebDAV Multi-Status 0  PROPFIND / -

This may be someone running the KaHT exploit against your server. It would be
followed up by a "SEARCH /" and some shellcode if the propfind request shows
you are running IIS with WebDav enabled.

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/




More information about the list mailing list