Hey Jeannie, its WebDAV. See RFC 4918 or view the specs [webdav.org] on the WebDAV site.

It is used by webdav to get the properties' info on files served by Apache.

It could be used to sniff for exploits but it isn't itself an exploit.

PROPFIND is an HTTP method that is part of the WebDAV protocol which would allow servers to manage documents and versions. No doubt some server has used it, but unless your server is supporting WebDAV, it's almost certainly from a malicious bot that it looking for vulnerabilities or opportunities to exploit your web server.

(the following is just my opinion on this topic...)

Your server is responding properly, and that's probably sufficient to make the bot go away.

The thing about blocking bots like this is that very often the requests are actually made by some virus infected PC, or some vast network of computers. These particular requests are nearly costless for your server -- the server knows to instantly respond with a "shoo" message.

By far the most important takeaway is that it really is really, really, really important to make sure your server is secure: patched with the latest revisions of software, set with appropriate permissions on files, configured to prevent access, and so on. I used to think people were wasting their time worry about security, and then I started looking at server access logs -- there is a constant stream of attempts to break in and find opportunities to take over servers.

I would also argue that blocking bots creates complexity, and in all complexity there's risk that you do something wrong that makes your site not work for legitimate users, or legitimate bots, like Googlebot.

Tom

Thank you. You are all so very helpful. This is a great forum. - Jeannie

It might be helpful to see exactly what this visitor did before I blocked it:

216.56.15.nnn - - [04/Oct/2010:15:15:37 -0400] "GET /image.jpg HTTP/1.1" 403 331 "http://www.google.com/imgres?imgurl=http://www.mywebsite.com/image.jpgtypicalgooglesearchcodinghere" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
216.56.15.nnn - - [04/Oct/2010:15:15:37 -0400] "GET /myfile.html HTTP/1.1" 200 4694 "http://www.google.com/imgres?imgurl=http://www.mywebsite.com/image.jpgtypicalgooglesearchcodinghere" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
216.56.15.nnn - - [04/Oct/2010:15:15:37 -0400] "GET /image2.jpg HTTP/1.1" 200 6931 "http://www.mywebsite.com/myfile.html" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
216.56.15.nnn - - [04/Oct/2010:15:15:37 -0400] "GET /title.jpg HTTP/1.1" 200 9023 "http://www.mywebsite.com/myfile.html" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
216.56.15.nnn - - [04/Oct/2010:15:15:37 -0400] "GET /animated_file.gif HTTP/1.1" 200 10157 "http://www.mywebsite.com/myfile.html" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
216.56.15.nnn - - [04/Oct/2010:15:15:37 -0400] "GET /home.jpg HTTP/1.1" 200 9375 "http://www.mywebsite.com/myfile.html" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
216.56.15.nnn - - [04/Oct/2010:15:15:37 -0400] "GET /image.jpg HTTP/1.1" 200 18961 "http://www.mywebsite.com/myfile.html" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
216.56.15.nnn - - [04/Oct/2010:15:15:37 -0400] "GET /image.jpg HTTP/1.1" 200 15295 "http://www.mywebsite.com/myfile.html" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
216.56.15.nnn - - [04/Oct/2010:15:15:43 -0400] "GET /favicon.ico HTTP/1.1" 200 19342 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
216.56.15.nnn - - [04/Oct/2010:15:16:01 -0400] "PROPFIND /title.jpg HTTP/1.1" 405 351 "-" "-"
216.56.15.nnn - - [04/Oct/2010:15:16:02 -0400] "HEAD /title.jpg HTTP/1.1" 200 - "-" "-"
216.56.15.nnn - - [04/Oct/2010:15:16:02 -0400] "GET /title.jpg HTTP/1.1" 200 9023 "-" "-"
216.56.15.nnn - - [04/Oct/2010:15:16:09 -0400] "PROPFIND /title.jpg HTTP/1.1" 405 351 "-" "-"
216.56.15.nnn - - [04/Oct/2010:15:16:09 -0400] "HEAD /title.jpg HTTP/1.1" 200 - "-" "-"
216.56.15.nnn - - [04/Oct/2010:15:16:09 -0400] "GET /title.jpg HTTP/1.1" 200 9023 "-" "-"

Initially the server (hosted) gave this visitor a 405 for the PROPFIND request. All the other requests were getting 200s. Then I blocked it and it got the 403s. Needless to say it is now blocked. I probably would still block any visitor making PROPFIND requests. Unless there is some other reason to let them access my files. I think it is interesting that this visitor found my site using Google images.

The HTTP 405 is also OK -- it means "Method not allowed" (Methods at the things like "GET", "HEAD", or "PROPFIND").

Bots are normal. Like gnats: annoying but harmless for the most part, assuming you use proper methods of protection -- make sure your web server has the latest security patches, your web software, plugins, modules, and so on are all up to date. Some people go to lengths to prevent them, and this may be fine. My personal strategy has been to do a good job making sure my sites are well inoculated.

Tom

Amen!