mrcorp at yahoo.com
Fri Jun 6 13:33:21 GMT 2003
This also happens if you have OWA and someone accesses it or maps a drive to that system.
One word of caution, NOT ALL TRAFFIC IS HOSTILE. One thing I noticed aobut this group is
--- Joe Stewart <jstewart at lurhq.com> wrote:
> On Thursday 05 June 2003 11:48 pm, walter woodrow wrote:
> > I wonder if anyone can explain what someone might be trying to do. Here is
> > an entry from my IIS log.
> > ClientHost Username LogTime Service Machine ServerIP ProcessingTime
> > BytesRecvd BytesSent ServiceStatus ServiceStatusDesc Win32Status Operation
> > Target Parameters 188.8.131.52 - 6/5/2003 8:22 W3SVC1 Server X.X.X.X 578
> > 84 956 207 WebDAV Multi-Status 0 PROPFIND / -
> This may be someone running the KaHT exploit against your server. It would be
> followed up by a "SEARCH /" and some shellcode if the propfind request shows
> you are running IIS with WebDav enabled.
> Joe Stewart, GCIH
> Senior Intrusion Analyst
> LURHQ Corporation
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
More information about the list