[Dshield] WebDAV Web Log Signature

Rohit Dhamankar rohitd at tippingpoint.com
Wed Mar 26 16:46:49 GMT 2003

In general, my suggstion would be to watch out for any webDAV specific
methods like
The exploits circulating could easily be changed to use these other methods
and I think the
attack will still work

-----Original Message-----
From: John Hardin [mailto:johnh at aproposretail.com]
Sent: Wednesday, March 26, 2003 10:23 AM
To: General DShield Discussion List
Subject: Re: [Dshield] WebDAV Web Log Signature

On Tue, 2003-03-25 at 12:11, Johannes Ullrich wrote:
> If you are not using WebDAV, just searching for '"SEARCH' should 
> work ok. There may be other ways to exploit this, so keep an
> open mind and look in general for overly large lines in your 
> web log.

I have "OPTIONS" and "PROPFIND" log entries as well, but they don't
appear to be exploit attempts.

This web server does not support any form of DAV. Should we add these
(or perhaps *all* DAV keywords) as "generic scanning activity"
signatures for non-DAV webservers, and report them?

Also, there does appear to be an IIS DoS involving "PROPFIND".

John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
 57 days until The Matrix Reloaded

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list