RE: WebDAV Propfind? Anyone?

From: Frank Knobbe (FKnobbeat_private)
Date: Fri Sep 07 2001 - 15:19:02 PDT

Next message: Frank Knobbe: "RE: Recent Increase in Port 139 Activity"

Previous message: Harlan S. Barney, Jr.: "Re: Recent Increase in Port 139 Activity"
Maybe in reply to: McCammon, Keith: "WebDAV Propfind? Anyone?"
Next in thread: McCammon, Keith: "RE: WebDAV Propfind? Anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keith,

I've been receiving these on occasion as well. I had contacted Compaq
about the one listed below, but never heard back from them. I don't
think these are intrusion attempts since all of them contain
'PROPFIND /instmsg/aliases/somename'. Seems to be some kind of
software that checks for an instant messaging directory of some sort.
But what app is that? MS Messenger?

Regards,
Frank

- --->8---
[**] WEB-MISC webdav propfind access [**]
07/31-03:18:39.633156 207.122.110.166:2545 -> x.x.x.x:80
TCP TTL:114 TOS:0x0 ID:20581 IpLen:20 DgmLen:468 DF
***AP*** Seq: 0x5EB05800  Ack: 0xAEEBAEB  Win: 0x2238  TcpLen: 20
50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73  PROPFIND /instms
67 2F 61 6C 69 61 73 65 73 2F 66 6B 6E 6F 62 62  g/aliases/fknobb
65 20 48 54 54 50 2F 31 2E 30 0D 0A 56 69 61 3A  e HTTP/1.0..Via:
20 31 2E 30 20 50 52 58 52 45 4F 30 33 0D 0A 43   1.0 PRXREO03..C
6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31  ontent-Length: 1
35 39 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65  59..Content-Type
3A 20 74 65 78 74 2F 78 6D 6C 0D 0A 48 6F 73 74  : text/xml..Host
3A 20 xx xx xx xx xx xx xx xx xx xx xx xx xx xx  : xxxxxxxxxxxxx.
0A 44 65 70 74 68 3A 20 30 0D 0A 52 56 50 2D 4E  .Depth: 0..RVP-N
6F 74 69 66 69 63 61 74 69 6F 6E 73 2D 56 65 72  otifications-Ver
73 69 6F 6E 3A 20 30 2E 32 0D 0A 52 56 50 2D 46  sion: 0.2..RVP-F
72 6F 6D 2D 50 72 69 6E 63 69 70 61 6C 3A 20 68  rom-Principal: h
74 74 70 3A 2F 2F 69 6D 2E 63 70 71 63 6F 72 70  ttp://im.cpqcorp
2E 6E 65 74 2F 69 6E 73 74 6D 73 67 2F 61 6C 69  .net/instmsg/ali
61 73 65 73 2F 72 69 63 68 61 72 64 2E 6C 75 73  ases/richard.lus
68 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B  h..Connection: K
65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A 3C 3F 78  eep-Alive....<?x
6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22  ml version="1.0"
3F 3E 0A 3C 64 3A 70 72 6F 70 66 69 6E 64 20 78  ?>.<d:propfind x
6D 6C 6E 73 3A 64 3D 27 44 41 56 3A 27 20 78 6D  mlns:d='DAV:' xm
6C 6E 73 3A 72 3D 27 68 74 74 70 3A 2F 2F 73 63  lns:r='http://sc
68 65 6D 61 73 2E 6D 69 63 72 6F 73 6F 66 74 2E  hemas.microsoft.
63 6F 6D 2F 72 76 70 2F 27 3E 3C 64 3A 70 72 6F  com/rvp/'><d:pro
70 3E 3C 72 3A 73 74 61 74 65 2F 3E 3C 64 3A 64  p><r:state/><d:d
69 73 70 6C 61 79 6E 61 6D 65 2F 3E 3C 72 3A 65  isplayname/><r:e
6D 61 69 6C 2F 3E 3C 2F 64 3A 70 72 6F 70 3E 3C  mail/></d:prop><
2F 64 3A 70 72 6F 70 66 69 6E 64 3E              /d:propfind>

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+



> -----Original Message-----
> From: McCammon, Keith [mailto:Keith.McCammonat_private]
> Sent: Friday, September 07, 2001 1:46 PM
> 
> Can anyone explain to me what's happening here?  WebDAV is 
> disabled on the
> target web server per the MS procedure.  Pat Sellers is an internal
> employee.  I've seen several employee names coming accross in 
> this fashion,
> and it's starting to get bothersome.  Unfortunately, I don't 
> know much about
> WebDAV requests/replies (which is, of course, why I've kept 
> it disabled).
> 
> Any help would be appreciated.
> 
> Keith
> 
> [**] IDS475/web-iis_web-webdav-propfind [**]
> 09/07-13:57:13.692020 65.201.42.82:58299 -> X.X.X.X:80
> TCP TTL:115 TOS:0x0 ID:44852 IpLen:20 DgmLen:319 DF
> ***AP*** Seq: 0xF92DC1E4  Ack: 0xB60B6704  Win: 0x4000  TcpLen: 20
> 50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73  PROPFIND /instms
> 67 2F 61 6C 69 61 73 65 73 2F 70 61 74 2E 73 65  g/aliases/pat.se
> 6C 6C 65 72 73 20 48 54 54 50 2F 31 2E 30 0D 0A  llers HTTP/1.0..
> 56 69 61 3A 20 31 2E 31 20 57 48 49 54 45 48 4F  Via: 1.1 WHITEHO
> 52 53 45 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E  RSE..Content-Len
> 67 74 68 3A 20 31 35 39 0D 0A 43 6F 6E 74 65 6E  gth: 159..Conten
> 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C  t-Type: text/xml
> 0D 0A 48 6F 73 74 3A 20 65 61 64 76 61 6E 63 65  ..Host: ourdomai
> 6D 65 64 2E 63 6F 6D 0D 0A 44 65 70 74 68 3A 20  n.com..Depth: 
> 30 0D 0A 52 56 50 2D 4E 6F 74 69 66 69 63 61 74  0..RVP-Notificat
> 69 6F 6E 73 2D 56 65 72 73 69 6F 6E 3A 20 30 2E  ions-Version: 0.
> 32 0D 0A 52 56 50 2D 46 72 6F 6D 2D 50 72 69 6E  2..RVP-From-Prin
> 63 69 70 61 6C 3A 20 68 74 74 70 3A 2F 2F 69 6D  cipal: http://im
> 2E 73 73 69 61 64 76 61 6E 74 61 67 65 2E 63 6F  .ssiadvantage.co
> 6D 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 61 73 65  m/instmsg/aliase
> 73 2F 65 63 61 72 72 6F 7A 7A 61 0D 0A 43 6F 6E  s/ecarrozza..Con
> 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
> 69 76 65 0D 0A 0D 0A                             ive....

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: Free Dmitry Sklyarov !

iQA/AwUBO5lH1ZytSsEygtEFEQL2VACgz8M+ch5+SLXkm+QjzSTPvK42PjQAnjO9
OHnkJqvaclO5A+98Rxf1UGsK
=RjeX
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Frank Knobbe: "RE: Recent Increase in Port 139 Activity"
Previous message: Harlan S. Barney, Jr.: "Re: Recent Increase in Port 139 Activity"
Maybe in reply to: McCammon, Keith: "WebDAV Propfind? Anyone?"
Next in thread: McCammon, Keith: "RE: WebDAV Propfind? Anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 15:23:23 PDT