It does not matter what it is, propfind is known
to give a heavy load on a machine, so you can use
it as a D0s tool to bring someone down
jakarta advises to bring some security on the
use of propfind
cheers flo
Brady's First Law of Problem Solving:
When confronted by a difficult problem, you can solve it more
easily by reducing it to the question, "How would the Lone Ranger have
handled this?"
----- Original Message -----
From: Frank Knobbe <FKnobbeat_private>
Date: Saturday, September 8, 2001 0:19 am
Subject: RE: WebDAV Propfind? Anyone?
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Keith,
>
> I've been receiving these on occasion as well. I had contacted Compaq
> about the one listed below, but never heard back from them. I don't
> think these are intrusion attempts since all of them contain
> 'PROPFIND /instmssoftware that checks for an instant messaging
> directory of some sort.
> But what app is that? MS Messenger?
>
> Regards,
> Frank
>
> - --->8---
> [**] WEB-MISC webdav propfind access [**]
> 07/31-03:18:39.633156 207.122.110.166:2545 -> x.x.x.x:80
> TCP TTL:114 TOS:0x0 ID:20581 IpLen:20 DgmLen:468 DF
> ***AP*** Seq: 0x5EB05800 Ack: 0xAEEBAEB Win: 0x2238 TcpLen: 20
> 50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73 PROPFIND /instms
> 67 2F 61 6C 69 61 73 65 73 2F 66 6B 6E 6F 62 62 65 20 48 54 54 50
> 2F 31 2E 30 0D 0A 56 69 61 3A e HTTP/1.0..Via:
> 20 31 2E 30 20 50 52 58 52 45 4F 30 33 0D 0A 43 1.0 PRXREO03..C
> 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 ontent-Length: 1
> 35 39 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 59..Content-Type
> 3A 20 74 65 78 74 2F 78 6D 6C 0D 0A 48 6F 73 74 : text/xml..Host
> 3A 20 xx xx xx xx xx xx xx xx xx xx xx xx xx xx : xxxxxxxxxxxxx.
> 0A 44 65 70 74 68 3A 20 30 0D 0A 52 56 50 2D 4E .Depth: 0..RVP-N
> 6F 74 69 66 69 63 61 74 69 6F 6E 73 2D 56 65 72 otifications-Ver
> 73 69 6F 6E 3A 20 30 2E 32 0D 0A 52 56 50 2D 46 sion: 0.2..RVP-F
> 72 6F 6D 2D 50 72 69 6E 63 69 70 61 6C 3A 20 68 rom-Principal: h
> 74 74 70 3A 2F 2F 69 6D 2E 63 70 71 63 6F 72 70 ttp://im.cpqcorp
> 2E 6E 65 74 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 .net/instms61 73
> 65 73 2F 72 69 63 68 61 72 64 2E 6C 75 73 ases/richard.lus
> 68 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B h..Connection: K
> 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A 3C 3F 78 eep-Alive....<?x
> 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 ml version="1.0"
> 3F 3E 0A 3C 64 3A 70 72 6F 70 66 69 6E 64 20 78 ?>.<d:propfind x
> 6D 6C 6E 73 3A 64 3D 27 44 41 56 3A 27 20 78 6D mlns:d='DAV:' xm
> 6C 6E 73 3A 72 3D 27 68 74 74 70 3A 2F 2F 73 63 lns:r='http://sc
> 68 65 6D 61 73 2E 6D 69 63 72 6F 73 6F 66 74 2E hemas.microsoft.
> 63 6F 6D 2F 72 76 70 2F 27 3E 3C 64 3A 70 72 6F com/rvp/'><d:pro
> 70 3E 3C 72 3A 73 74 61 74 65 2F 3E 3C 64 3A 64 p><r:state/><d:d
> 69 73 70 6C 61 79 6E 61 6D 65 2F 3E 3C 72 3A 65 isplayname/><r:e
> 6D 61 69 6C 2F 3E 3C 2F 64 3A 70 72 6F 70 3E 3C mail/></d:prop><
> 2F 64 3A 70 72 6F 70 66 69 6E 64 3E /d:propfind>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+
>
>
>
> > -----Original Message-----
> > From: McCammon, Keith [mailto:Keith.McCammonat_private]
> > Sent: Friday, September 07, 2001 1:46 PM
> >
> > Can anyone explain to me what's happening here? WebDAV is
> > disabled on the
> > target web server per the MS procedure. Pat Sellers is an internal
> > employee. I've seen several employee names coming accross in
> > this fashion,
> > and it's starting to get bothersome. Unfortunately, I don't
> > know much about
> > WebDAV requests/replies (which is, of course, why I've kept
> > it disabled).
> >
> > Any help would be appreciated.
> >
> > Keith
> >
> > [**] IDS475/web-iis_web-webdav-propfind [**]
> > 09/07-13:57:13.692020 65.201.42.82:58299 -> X.X.X.X:80
> > TCP TTL:115 TOS:0x0 ID:44852 IpLen:20 DgmLen:319 DF
> > ***AP*** Seq: 0xF92DC1E4 Ack: 0xB60B6704 Win: 0x4000 TcpLen: 20
> > 50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73 PROPFIND /instms
> > 67 2F 61 6C 69 61 73 65 73 2F 70 61 74 2E 73 65 > 6C 6C 65 72
> 73 20 48 54 54 50 2F 31 2E 30 0D 0A llers HTTP/1.0..
> > 56 69 61 3A 20 31 2E 31 20 57 48 49 54 45 48 4F Via: 1.1 WHITEHO
> > 52 53 45 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E RSE..Content-Len
> > 67 74 68 3A 20 31 35 39 0D 0A 43 6F 6E 74 65 6E gth: 159..Conten
> > 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C t-Type: text/xml
> > 0D 0A 48 6F 73 74 3A 20 65 61 64 76 61 6E 63 65 ..Host: ourdomai
> > 6D 65 64 2E 63 6F 6D 0D 0A 44 65 70 74 68 3A 20 n.com..Depth:
> > 30 0D 0A 52 56 50 2D 4E 6F 74 69 66 69 63 61 74 0..RVP-Notificat
> > 69 6F 6E 73 2D 56 65 72 73 69 6F 6E 3A 20 30 2E ions-Version: 0.
> > 32 0D 0A 52 56 50 2D 46 72 6F 6D 2D 50 72 69 6E 2..RVP-From-Prin
> > 63 69 70 61 6C 3A 20 68 74 74 70 3A 2F 2F 69 6D cipal: http://im
> > 2E 73 73 69 61 64 76 61 6E 74 61 67 65 2E 63 6F .ssiadvantage.co
> > 6D 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 61 73 65 m/instms> 73 2F
> 65 63 61 72 72 6F 7A 7A 61 0D 0A 43 6F 6E s/ecarrozza..Con
> > 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al
> > 69 76 65 0D 0A 0D 0A ive....
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: Free Dmitry Sklyarov !
>
> iQOHnkJqvaclO5A+98Rxf1UGsK
> =RjeX
> -----END PGP SIGNATURE-----
>
> -------------------------------------------------------------------
> ---------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http:
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 12:28:40 PDT