WebDAV Propfind? Anyone?

From: McCammon, Keith (Keith.McCammonat_private)
Date: Fri Sep 07 2001 - 11:45:44 PDT

  • Next message: Ryan Russell: "x.c worm analysis" 

    Can anyone explain to me what's happening here?  WebDAV is disabled on the
target web server per the MS procedure.  Pat Sellers is an internal
employee.  I've seen several employee names coming accross in this fashion,
and it's starting to get bothersome.  Unfortunately, I don't know much about
WebDAV requests/replies (which is, of course, why I've kept it disabled).

Any help would be appreciated.

Keith

[**] IDS475/web-iis_web-webdav-propfind [**]
09/07-13:57:13.692020 65.201.42.82:58299 -> X.X.X.X:80
TCP TTL:115 TOS:0x0 ID:44852 IpLen:20 DgmLen:319 DF
***AP*** Seq: 0xF92DC1E4  Ack: 0xB60B6704  Win: 0x4000  TcpLen: 20
50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73  PROPFIND /instms
67 2F 61 6C 69 61 73 65 73 2F 70 61 74 2E 73 65  g/aliases/pat.se
6C 6C 65 72 73 20 48 54 54 50 2F 31 2E 30 0D 0A  llers HTTP/1.0..
56 69 61 3A 20 31 2E 31 20 57 48 49 54 45 48 4F  Via: 1.1 WHITEHO
52 53 45 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E  RSE..Content-Len
67 74 68 3A 20 31 35 39 0D 0A 43 6F 6E 74 65 6E  gth: 159..Conten
74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C  t-Type: text/xml
0D 0A 48 6F 73 74 3A 20 65 61 64 76 61 6E 63 65  ..Host: ourdomai
6D 65 64 2E 63 6F 6D 0D 0A 44 65 70 74 68 3A 20  n.com..Depth: 
30 0D 0A 52 56 50 2D 4E 6F 74 69 66 69 63 61 74  0..RVP-Notificat
69 6F 6E 73 2D 56 65 72 73 69 6F 6E 3A 20 30 2E  ions-Version: 0.
32 0D 0A 52 56 50 2D 46 72 6F 6D 2D 50 72 69 6E  2..RVP-From-Prin
63 69 70 61 6C 3A 20 68 74 74 70 3A 2F 2F 69 6D  cipal: http://im
2E 73 73 69 61 64 76 61 6E 74 61 67 65 2E 63 6F  .ssiadvantage.co
6D 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 61 73 65  m/instmsg/aliase
73 2F 65 63 61 72 72 6F 7A 7A 61 0D 0A 43 6F 6E  s/ecarrozza..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS475/web-iis_web-webdav-propfind [**]
09/07-13:57:13.840656 65.201.42.82:58299 -> X.X.X.X:80
TCP TTL:115 TOS:0x0 ID:44856 IpLen:20 DgmLen:199 DF
***AP*** Seq: 0xF92DC2FB  Ack: 0xB60B6704  Win: 0x4000  TcpLen: 20
3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31  <?xml version="1
2E 30 22 3F 3E 0A 3C 64 3A 70 72 6F 70 66 69 6E  .0"?>.<d:propfin
64 20 78 6D 6C 6E 73 3A 64 3D 27 44 41 56 3A 27  d xmlns:d='DAV:'
20 78 6D 6C 6E 73 3A 72 3D 27 68 74 74 70 3A 2F   xmlns:r='http:/
2F 73 63 68 65 6D 61 73 2E 6D 69 63 72 6F 73 6F  /schemas.microso
66 74 2E 63 6F 6D 2F 72 76 70 2F 27 3E 3C 64 3A  ft.com/rvp/'><d:
70 72 6F 70 3E 3C 72 3A 73 74 61 74 65 2F 3E 3C  prop><r:state/><
64 3A 64 69 73 70 6C 61 79 6E 61 6D 65 2F 3E 3C  d:displayname/><
72 3A 65 6D 61 69 6C 2F 3E 3C 2F 64 3A 70 72 6F  r:email/></d:pro
70 3E 3C 2F 64 3A 70 72 6F 70 66 69 6E 64 3E     p></d:propfind>

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 12:42:41 PDT