[Dshield] WebDAV Web Log Signature

John Hardin johnh at aproposretail.com
Wed Mar 26 16:22:43 GMT 2003


On Tue, 2003-03-25 at 12:11, Johannes Ullrich wrote:
> 
> If you are not using WebDAV, just searching for '"SEARCH' should 
> work ok. There may be other ways to exploit this, so keep an
> open mind and look in general for overly large lines in your 
> web log.

I have "OPTIONS" and "PROPFIND" log entries as well, but they don't
appear to be exploit attempts.

This web server does not support any form of DAV. Should we add these
(or perhaps *all* DAV keywords) as "generic scanning activity"
signatures for non-DAV webservers, and report them?

Also, there does appear to be an IIS DoS involving "PROPFIND".

-- 
John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
 57 days until The Matrix Reloaded



More information about the list mailing list