[Dshield] PROPFIND?

Mrcorp mrcorp at yahoo.com
Fri Jun 6 13:33:21 GMT 2003


This also happens if you have OWA and someone accesses it or maps a drive to that system.

One word of caution, NOT ALL TRAFFIC IS HOSTILE.  One thing I noticed aobut this group is
paranoia..

mrcorp


--- Joe Stewart <jstewart at lurhq.com> wrote:
> On Thursday 05 June 2003 11:48 pm, walter woodrow wrote:
> > I wonder if anyone can explain what someone might be trying to do.  Here is
> > an entry from my IIS log.
> >
> > ClientHost Username LogTime  Service Machine ServerIP ProcessingTime
> > BytesRecvd BytesSent ServiceStatus ServiceStatusDesc Win32Status Operation
> > Target Parameters 207.61.18.40 -  6/5/2003 8:22 W3SVC1 Server X.X.X.X  578 
> > 84  956  207  WebDAV Multi-Status 0  PROPFIND / -
> 
> This may be someone running the KaHT exploit against your server. It would be
> followed up by a "SEARCH /" and some shellcode if the propfind request shows
> you are running IIS with WebDav enabled.
> 
> -Joe
> 
> -- 
> Joe Stewart, GCIH 
> Senior Intrusion Analyst
> LURHQ Corporation
> http://www.lurhq.com/
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com




More information about the list mailing list