[Dshield] PROPFIND?

Witt, Allen DAVID.A.WITT at saic.com
Fri Jun 6 16:05:16 GMT 2003


I though we were paid to be paranoid <GRIN>

aw

-----Original Message-----
From: Mrcorp [mailto:mrcorp at yahoo.com]
Sent: Friday, June 06, 2003 9:33 AM
To: General DShield Discussion List
Subject: Re: [Dshield] PROPFIND?


This also happens if you have OWA and someone accesses it or maps a drive to
that system.

One word of caution, NOT ALL TRAFFIC IS HOSTILE.  One thing I noticed aobut
this group is
paranoia..

mrcorp


--- Joe Stewart <jstewart at lurhq.com> wrote:
> On Thursday 05 June 2003 11:48 pm, walter woodrow wrote:
> > I wonder if anyone can explain what someone might be trying to do.  Here
is
> > an entry from my IIS log.
> >
> > ClientHost Username LogTime  Service Machine ServerIP ProcessingTime
> > BytesRecvd BytesSent ServiceStatus ServiceStatusDesc Win32Status
Operation
> > Target Parameters 207.61.18.40 -  6/5/2003 8:22 W3SVC1 Server X.X.X.X
578 
> > 84  956  207  WebDAV Multi-Status 0  PROPFIND / -
> 
> This may be someone running the KaHT exploit against your server. It would
be
> followed up by a "SEARCH /" and some shellcode if the propfind request
shows
> you are running IIS with WebDav enabled.
> 
> -Joe
> 
> -- 
> Joe Stewart, GCIH 
> Senior Intrusion Analyst
> LURHQ Corporation
> http://www.lurhq.com/
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list