-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Keith, I've been receiving these on occasion as well. I had contacted Compaq about the one listed below, but never heard back from them. I don't think these are intrusion attempts since all of them contain 'PROPFIND /instmsg/aliases/somename'. Seems to be some kind of software that checks for an instant messaging directory of some sort. But what app is that? MS Messenger? Regards, Frank - --->8--- [**] WEB-MISC webdav propfind access [**] 07/31-03:18:39.633156 207.122.110.166:2545 -> x.x.x.x:80 TCP TTL:114 TOS:0x0 ID:20581 IpLen:20 DgmLen:468 DF ***AP*** Seq: 0x5EB05800 Ack: 0xAEEBAEB Win: 0x2238 TcpLen: 20 50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73 PROPFIND /instms 67 2F 61 6C 69 61 73 65 73 2F 66 6B 6E 6F 62 62 g/aliases/fknobb 65 20 48 54 54 50 2F 31 2E 30 0D 0A 56 69 61 3A e HTTP/1.0..Via: 20 31 2E 30 20 50 52 58 52 45 4F 30 33 0D 0A 43 1.0 PRXREO03..C 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 ontent-Length: 1 35 39 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 59..Content-Type 3A 20 74 65 78 74 2F 78 6D 6C 0D 0A 48 6F 73 74 : text/xml..Host 3A 20 xx xx xx xx xx xx xx xx xx xx xx xx xx xx : xxxxxxxxxxxxx. 0A 44 65 70 74 68 3A 20 30 0D 0A 52 56 50 2D 4E .Depth: 0..RVP-N 6F 74 69 66 69 63 61 74 69 6F 6E 73 2D 56 65 72 otifications-Ver 73 69 6F 6E 3A 20 30 2E 32 0D 0A 52 56 50 2D 46 sion: 0.2..RVP-F 72 6F 6D 2D 50 72 69 6E 63 69 70 61 6C 3A 20 68 rom-Principal: h 74 74 70 3A 2F 2F 69 6D 2E 63 70 71 63 6F 72 70 ttp://im.cpqcorp 2E 6E 65 74 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 .net/instmsg/ali 61 73 65 73 2F 72 69 63 68 61 72 64 2E 6C 75 73 ases/richard.lus 68 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B h..Connection: K 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A 3C 3F 78 eep-Alive....<?x 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 ml version="1.0" 3F 3E 0A 3C 64 3A 70 72 6F 70 66 69 6E 64 20 78 ?>.<d:propfind x 6D 6C 6E 73 3A 64 3D 27 44 41 56 3A 27 20 78 6D mlns:d='DAV:' xm 6C 6E 73 3A 72 3D 27 68 74 74 70 3A 2F 2F 73 63 lns:r='http://sc 68 65 6D 61 73 2E 6D 69 63 72 6F 73 6F 66 74 2E hemas.microsoft. 63 6F 6D 2F 72 76 70 2F 27 3E 3C 64 3A 70 72 6F com/rvp/'><d:pro 70 3E 3C 72 3A 73 74 61 74 65 2F 3E 3C 64 3A 64 p><r:state/><d:d 69 73 70 6C 61 79 6E 61 6D 65 2F 3E 3C 72 3A 65 isplayname/><r:e 6D 61 69 6C 2F 3E 3C 2F 64 3A 70 72 6F 70 3E 3C mail/></d:prop>< 2F 64 3A 70 72 6F 70 66 69 6E 64 3E /d:propfind> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+ > -----Original Message----- > From: McCammon, Keith [mailto:Keith.McCammonat_private] > Sent: Friday, September 07, 2001 1:46 PM > > Can anyone explain to me what's happening here? WebDAV is > disabled on the > target web server per the MS procedure. Pat Sellers is an internal > employee. I've seen several employee names coming accross in > this fashion, > and it's starting to get bothersome. Unfortunately, I don't > know much about > WebDAV requests/replies (which is, of course, why I've kept > it disabled). > > Any help would be appreciated. > > Keith > > [**] IDS475/web-iis_web-webdav-propfind [**] > 09/07-13:57:13.692020 65.201.42.82:58299 -> X.X.X.X:80 > TCP TTL:115 TOS:0x0 ID:44852 IpLen:20 DgmLen:319 DF > ***AP*** Seq: 0xF92DC1E4 Ack: 0xB60B6704 Win: 0x4000 TcpLen: 20 > 50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73 PROPFIND /instms > 67 2F 61 6C 69 61 73 65 73 2F 70 61 74 2E 73 65 g/aliases/pat.se > 6C 6C 65 72 73 20 48 54 54 50 2F 31 2E 30 0D 0A llers HTTP/1.0.. > 56 69 61 3A 20 31 2E 31 20 57 48 49 54 45 48 4F Via: 1.1 WHITEHO > 52 53 45 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E RSE..Content-Len > 67 74 68 3A 20 31 35 39 0D 0A 43 6F 6E 74 65 6E gth: 159..Conten > 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C t-Type: text/xml > 0D 0A 48 6F 73 74 3A 20 65 61 64 76 61 6E 63 65 ..Host: ourdomai > 6D 65 64 2E 63 6F 6D 0D 0A 44 65 70 74 68 3A 20 n.com..Depth: > 30 0D 0A 52 56 50 2D 4E 6F 74 69 66 69 63 61 74 0..RVP-Notificat > 69 6F 6E 73 2D 56 65 72 73 69 6F 6E 3A 20 30 2E ions-Version: 0. > 32 0D 0A 52 56 50 2D 46 72 6F 6D 2D 50 72 69 6E 2..RVP-From-Prin > 63 69 70 61 6C 3A 20 68 74 74 70 3A 2F 2F 69 6D cipal: http://im > 2E 73 73 69 61 64 76 61 6E 74 61 67 65 2E 63 6F .ssiadvantage.co > 6D 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 61 73 65 m/instmsg/aliase > 73 2F 65 63 61 72 72 6F 7A 7A 61 0D 0A 43 6F 6E s/ecarrozza..Con > 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al > 69 76 65 0D 0A 0D 0A ive.... -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: Free Dmitry Sklyarov ! iQA/AwUBO5lH1ZytSsEygtEFEQL2VACgz8M+ch5+SLXkm+QjzSTPvK42PjQAnjO9 OHnkJqvaclO5A+98Rxf1UGsK =RjeX -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 15:23:23 PDT