I was unaware that M$ Front Page (or equivalent) could be used to inject files to a site.

I just went and looked. It started visiting again on August 2nd and has made 1,000 visits since then. I can't tell from my database what sites or pages it's been messing with or what it's been doing. But I'm gonna pull my log files now and run the report I usually run at the end of the week. Thanks for the heads up.

I was unaware that M$ Front Page (or equivalent) could be used to inject files to a site.

keyplr,
DAV is not exclusive to FP.

Somewhere we've and old thread with a lengthy discussion/explanation on DAV.

I've this (excerpt) saved from another site:

Web Dav is actually a custom extension by MS of HTTP 1.1. These http extensions are built into IIS 5.0 and IE 5.0. In other words, once you have installed IIS 5, when you access it from IE 5 or from ‘My Network Places’, you are Web Dav enabled. No setups switches to turn on. The downside is that you can’t turn it OFF either.
end of quote

Thus anybody using any MS Server function (IIS, Fp or otherwise) and/or module would susceptible to botnet weakness, due to vulnerabilities of the various versions.

Thanks Don. I didn't know any of that. I've blocked DAV for several years always assuming it was being used for site downloads as a utility of FP only.

keyplr,
Most of us had this denied for an eternity.
The only reason I added the heads up is because I really hadn't seen it in a long while, and years ago, we use to see both GET and PUT frequently.

BTW, this thingy didn't appear until my host did an Apache Kernel Update (re-read the update explanation half-a-dozen times and still don't understand how it benefits me).
It may be just a coincidence in the appearance, however it was timely ;)

The Windows Server updates been ongoing for some time. I read the info and don't see any benefit to the newer versions and simply refuse the updates.

Web Dav is actually a custom extension by MS of HTTP 1.1

WebDAV (Web-based Distributed Authoring and Versioning) is a custom extension to HTTP but it comes via the W3C (not Microsoft). Client support is built-in on Linux, OSX and Windows and it can be used on Apache and other webservers.

It can be a useful way to add an account-based "drop box" facility to a website - a common use is giving password-restricted access to a specific area, where users have upload and edit privileges (e.g. students can download their course files and upload their homework).

If you don't run such a facilty on your site then all WebDAV requests can be blocked.

...

I don't really pay attention to Things DAV (or the vast majority of non-^Mozilla.* UAs) anymore because, like others, I've blocked them for as long as I can remember. And with good reason:

78.181.211.nnn (Turkey)
Microsoft Data Access Internet Publishing Provider DAV 1.1
Exploit attempt

-----
These apparently related UAs used OPTIONS --

Microsoft Office Protocol Discovery
Microsoft Data Access Internet Publishing Provider Protocol Discovery

-- and PROPFIND:

Microsoft-WebDAV-MiniRedir/6.0.6000

And these were just bad eggs. All exploit attempts:

121.135.37.nn (South Korea)
Microsoft-WebDAV-MiniRedir/5.1.2600

58.127.162.nnn (South Korea)
Microsoft-WebDAV-MiniRedir/5.1.2600

202.149.24.nnn (Thailand)
Microsoft-WebDAV-MiniRedir/6.0.6000

Pfui,
I wouldn't have paid any attention had the requests come from a non-North American IP range.
These came from a PacBell range that I've long denied.