fredfell at wideopenwest.com
Fri Jun 6 14:03:00 GMT 2003
"just because we're paranoid doesn't mean someone isn't after us"
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Sent: Friday, June 06, 2003 07:33
To: General DShield Discussion List
Subject: Re: [Dshield] PROPFIND?
This also happens if you have OWA and someone accesses it or maps a drive to
One word of caution, NOT ALL TRAFFIC IS HOSTILE. One thing I noticed aobut
this group is paranoia..
--- Joe Stewart <jstewart at lurhq.com> wrote:
> On Thursday 05 June 2003 11:48 pm, walter woodrow wrote:
> > I wonder if anyone can explain what someone might be trying to do.
> > Here is an entry from my IIS log.
> > ClientHost Username LogTime Service Machine ServerIP ProcessingTime
> > BytesRecvd BytesSent ServiceStatus ServiceStatusDesc Win32Status
> > Operation Target Parameters 188.8.131.52 - 6/5/2003 8:22 W3SVC1
> > Server X.X.X.X 578 84 956 207 WebDAV Multi-Status 0 PROPFIND /
> > -
> This may be someone running the KaHT exploit against your server. It
> would be followed up by a "SEARCH /" and some shellcode if the
> propfind request shows you are running IIS with WebDav enabled.
> Joe Stewart, GCIH
> Senior Intrusion Analyst
> LURHQ Corporation
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list