[Dshield] PROPFIND?

Fred Fell fredfell at wideopenwest.com
Fri Jun 6 14:03:00 GMT 2003


"just because we're paranoid doesn't mean someone isn't after us"

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Mrcorp
Sent: Friday, June 06, 2003 07:33
To: General DShield Discussion List
Subject: Re: [Dshield] PROPFIND?


This also happens if you have OWA and someone accesses it or maps a drive to
that system.

One word of caution, NOT ALL TRAFFIC IS HOSTILE.  One thing I noticed aobut
this group is paranoia..

mrcorp


--- Joe Stewart <jstewart at lurhq.com> wrote:
> On Thursday 05 June 2003 11:48 pm, walter woodrow wrote:
> > I wonder if anyone can explain what someone might be trying to do.  
> > Here is an entry from my IIS log.
> >
> > ClientHost Username LogTime  Service Machine ServerIP ProcessingTime 
> > BytesRecvd BytesSent ServiceStatus ServiceStatusDesc Win32Status 
> > Operation Target Parameters 207.61.18.40 -  6/5/2003 8:22 W3SVC1 
> > Server X.X.X.X  578 84  956  207  WebDAV Multi-Status 0  PROPFIND / 
> > -
> 
> This may be someone running the KaHT exploit against your server. It 
> would be followed up by a "SEARCH /" and some shellcode if the 
> propfind request shows you are running IIS with WebDav enabled.
> 
> -Joe
> 
> --
> Joe Stewart, GCIH 
> Senior Intrusion Analyst
> LURHQ Corporation
> http://www.lurhq.com/
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list