Forum Moderators: DixonJones
Appears out of nowhere..
----------
63.18.136.*** - - [25/May/2005:01:23:06 -0400] "OPTIONS / HTTP/1.1" 200 -
63.18.136.*** - - [25/May/2005:01:23:06 -0400] "PROPFIND /C%24 HTTP/1.1" 405 315
----------
Then he was gone..
I'm used to the usual GET and POST requests via the script kiddies and worms, but what's up with that OPTIONS method? Apparently this guy was looking to see what my server could and couldn't do. The only problem I have is I can't figure out what the person done to get OPTIONS to pop up in my server's logs. I'm obviously not a very experienced webmaster so sorry. I searched around, looked through the manual, etc, but it didn't tell me much.
How in the world do I recreate the first line in the above snippit? It just makes me uncomfortable when a cracker does something that's above me.. fill me in please!
[edited by: justin_holton at 3:52 pm (utc) on June 8, 2005]
(Edit: Nevermind, I found it.)
The typical user agents that call for OPTIONS are:
Microsoft Data Access Internet Publishing Provider Cache Manager
Microsoft Data Access Internet Publishing Provider DAV
Microsoft Data Access Internet Publishing Provider DAV 1.1
Microsoft Data Access Internet Publishing Provider Protocol Discovery
Microsoft Office Protocol Discovery
Microsoft-WebDAV-MiniRedir/5.1.2600
You can add something like this to your .htaccess file to block them:
RewriteCond %{HTTP_USER_AGENT} ^(Microsoft¦MFC).(Data¦Internet¦URL¦WebDAV¦Foundation¦Office).(Access¦Browser¦Explorer¦Control¦MiniRedir¦Class¦Protocol) [NC]
RewriteRule .* - [F] (sorry about the horizontal scroll ;))
BTW, can I block that stuff in the httpd.conf file? I thought a general rule of thumb was not to use *.htaccess unless it's absolutely necessary. Apparently they need to be placed in the directory on the website, and that doesn't sound too secure to me.
Thanks again.
