It certainly seems logical that it's some type of instant messaging application. And as you mentioned, I'm fairly certain that they aren't malicious system probes. But then again, I'm not running a propfind server, so that makes the traffic/requests illegitimate. Anyway, what really stumps me is the fact that the host being contacted with all of these "user names" is just a web server. No one surfs from that box. It doesn't share that public address with any other systems or services. There is no domain affiliation. Nothing. I can't, for the life of me, figure out how and why this host is being contacted with this (quite specific) information. Keith -----Original Message----- From: Frank Knobbe [mailto:FKnobbeat_private] Sent: Friday, September 07, 2001 6:19 PM To: 'McCammon, Keith'; 'incidentsat_private' Subject: RE: WebDAV Propfind? Anyone? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Keith, I've been receiving these on occasion as well. I had contacted Compaq about the one listed below, but never heard back from them. I don't think these are intrusion attempts since all of them contain 'PROPFIND /instmsg/aliases/somename'. Seems to be some kind of software that checks for an instant messaging directory of some sort. But what app is that? MS Messenger? Regards, Frank ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 12:26:02 PDT