[Dshield] WebDAV Web Log Signature

Fernando Viñan -Cano work at star-one.co.uk
Thu Mar 27 08:35:56 GMT 2003


Hi,

I've been following this thread on and off the last few days and wonder 
why no-one has mentioned installing Microsoft's URLSCAN dll for the IIS 
servers.

As well as stopping all requests for system files and other undesirables 
via IIS, you can tell it to also only allow specific methods for 
example, I only allow GET HEAD OPTIONS & POST (unfortunately I have to 
allow OPTIONS otherwise my users cannot use FrontPage).

So if you just configure it with only GET HEAD & POST, the other 
exploits are immediately nullified,

Ferd

-----Original Message-----
From: Rohit Dhamankar [mailto:rohitd at tippingpoint.com] 
Sent: Wednesday, March 26, 2003 5:47 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] WebDAV Web Log Signature


In general, my suggstion would be to watch out for any webDAV specific 
methods like SEARCH, PROPFIND,PROPPATCH, LOCK, UNLOCK etc. The exploits 
circulating could easily be changed to use these other methods and I 
think the attack will still work Rohit


-----Original Message-----
From: John Hardin [mailto:johnh at aproposretail.com]
Sent: Wednesday, March 26, 2003 10:23 AM
To: General DShield Discussion List
Subject: Re: [Dshield] WebDAV Web Log Signature


On Tue, 2003-03-25 at 12:11, Johannes Ullrich wrote:
> 
> If you are not using WebDAV, just searching for '"SEARCH' should
> work ok. There may be other ways to exploit this, so keep an
> open mind and look in general for overly large lines in your 
> web log.

I have "OPTIONS" and "PROPFIND" log entries as well, but they don't 
appear to be exploit attempts.

This web server does not support any form of DAV. Should we add these 
(or perhaps *all* DAV keywords) as "generic scanning activity" 
signatures for non-DAV webservers, and report them?

Also, there does appear to be an IIS DoS involving "PROPFIND".

-- 
John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
 57 days until The Matrix Reloaded

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list