[Dshield] help identify IIS log entry

David Jobes djobes at xscanners.org
Wed Mar 26 20:00:44 GMT 2003


I just ran this script against my logs, and i was amazed to find what looks
like several hundred entried for the .ida and a coupole of the following:

ov1-24.171.2.99.charter-stl.com - - [16/Mar/2003:11:58:41 +0000] "OPTIONS /
HTTP/1.1" 200 31560
ov1-24.171.2.99.charter-stl.com - - [16/Mar/2003:12:02:04 +0000] "OPTIONS /
HTTP/1.1" 200 31560

I run apache, with no DAV support, so how can they get a 200 return on this.

I have forwarded the logs as well.


--------------------------------------
David Jobes - CISSP
Web:       http://www.xscanners.org
yahooid:   davidjobes31770
aimid:     aggrogade
email:     djobes at xscanners.org

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of John Hardin
Sent: Wednesday, March 26, 2003 10:38 AM
To: General DShield Discussion List
Subject: Re: [Dshield] help identify IIS log entry


On Tue, 2003-03-25 at 17:56, Johannes Ullrich wrote:
>
> For now, and to get started on this, lets just send logs to
'webdav at dshield.org'.
> I will not add them to a database, but just use
> a couple grep scripts to get them organized. IIS or Apache logs are
> fine.

Sample from /etc/logrotate.d/apache:

  /var/log/httpd/access_log {
    rotate 8
    missingok
    prerotate
      egrep '"GET .*\.ida\?' /var/log/httpd/access_log |
         mail -s 'APACHE' redalert at dshield.org root at localhost
      egrep '"GET .*\/msadc\/' /var/log/httpd/access_log |
         mail -s 'MSADC' root at localhost
      egrep '"(SEARCH|OPTIONS|PROPFIND|SUBSCRIBE|NOTIFY) '
/var/log/httpd/access_log |
         mail -s 'WebDAV' webdav at dshield.org root at localhost
    endscript
    postrotate
        /usr/bin/killall -HUP httpd 2> /dev/null || true
    endscript
  }

(probably some wrapping to clean up before use...)


--
John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
 57 days until The Matrix Reloaded

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list