Welcome to WebmasterWorld Guest from 54.196.244.206

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Microsoft-WebDAV - What was this trying to do?

     
8:21 pm on Apr 27, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member jab_creations is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 26, 2004
posts:3143
votes: 12


What was this bot trying to do? My server is Linux/Apache so if it's related to the vulnerability I'd like to know.

Possibly related post...
[webmasterworld.com...]

xx.xx.100.197 - - [10/Apr/2006:02:27:56 +0000] "PROPFIND /downloads HTTP/1.1" 301 331 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
xx.xx.100.197 - - [10/Apr/2006:02:27:57 +0000] "PROPFIND /downloads/ HTTP/1.1" 404 12978 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
xx.xx.100.197 - - [10/Apr/2006:02:27:57 +0000] "PROPFIND /downloads HTTP/1.1" 301 331 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
xx.xx.100.197 - - [10/Apr/2006:02:27:57 +0000] "PROPFIND /downloads/ HTTP/1.1" 404 12978 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
xx.xx.100.197 - - [10/Apr/2006:02:27:58 +0000] "OPTIONS / HTTP/1.1" 200 6876 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
xx.xx.100.197 - - [10/Apr/2006:02:27:58 +0000] "PROPFIND /downloads HTTP/1.1" 301 331 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
xx.xx.100.197 - - [10/Apr/2006:02:27:59 +0000] "PROPFIND /downloads/ HTTP/1.1" 404 12978 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

- John

4:31 pm on May 5, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5408
votes: 2


a Google on "propfind" will return info.

Another old Webamster World thread
[webmasterworld.com...]

12:24 am on May 6, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member jab_creations is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 26, 2004
posts:3143
votes: 12


Wiki...

WebDAV
Web-based Distributed Authoring and Versioning
"aim is to make the World Wide Web a readable and writable medium"

PROPFIND
"...overloaded to allow one to retrieve the collection structure (a.k.a. directory hierarchy) of a remote system."

securityspace
IIS propfind DoS
"Performs a denial of service against IIS"

It could have been a possible DOS attack. I don't see any other reason for this happening.

- John

12:58 am on May 6, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5408
votes: 2


It could have been a possible DOS attack. I don't see any other reason for this happening.

John,
As I vaguely mentioned on the older thread, I've had these, from a visitor whose identity was confirmed and there was NOT any malicious intent.
Rather, this person accidentally performed some option in Front Page.

I've had so few of these instances over the years that they are not of any real concern to me.
On one occassion in which the process occurred multiple times from the same IP range (unknown identity), I notified both my web host and the visitors internet provider.

Don

7:17 am on May 6, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:June 3, 2002
posts:566
votes: 0


<LimitExcept HEAD GET POST>
order deny,allow
deny from all
</LimitExcept>

will do just fine. Some of us may even not need POST.

Jan

6:01 pm on May 6, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 22, 2001
posts:2450
votes: 0


fantastic post, bull.
7:33 am on May 7, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member jab_creations is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 26, 2004
posts:3143
votes: 12


Yes thanks Jan!

- John

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members