It does not matter what it is, propfind is known to give a heavy load on a machine, so you can use it as a D0s tool to bring someone down jakarta advises to bring some security on the use of propfind cheers flo Brady's First Law of Problem Solving: When confronted by a difficult problem, you can solve it more easily by reducing it to the question, "How would the Lone Ranger have handled this?" ----- Original Message ----- From: Frank Knobbe <FKnobbeat_private> Date: Saturday, September 8, 2001 0:19 am Subject: RE: WebDAV Propfind? Anyone? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Keith, > > I've been receiving these on occasion as well. I had contacted Compaq > about the one listed below, but never heard back from them. I don't > think these are intrusion attempts since all of them contain > 'PROPFIND /instmssoftware that checks for an instant messaging > directory of some sort. > But what app is that? MS Messenger? > > Regards, > Frank > > - --->8--- > [**] WEB-MISC webdav propfind access [**] > 07/31-03:18:39.633156 207.122.110.166:2545 -> x.x.x.x:80 > TCP TTL:114 TOS:0x0 ID:20581 IpLen:20 DgmLen:468 DF > ***AP*** Seq: 0x5EB05800 Ack: 0xAEEBAEB Win: 0x2238 TcpLen: 20 > 50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73 PROPFIND /instms > 67 2F 61 6C 69 61 73 65 73 2F 66 6B 6E 6F 62 62 65 20 48 54 54 50 > 2F 31 2E 30 0D 0A 56 69 61 3A e HTTP/1.0..Via: > 20 31 2E 30 20 50 52 58 52 45 4F 30 33 0D 0A 43 1.0 PRXREO03..C > 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 ontent-Length: 1 > 35 39 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 59..Content-Type > 3A 20 74 65 78 74 2F 78 6D 6C 0D 0A 48 6F 73 74 : text/xml..Host > 3A 20 xx xx xx xx xx xx xx xx xx xx xx xx xx xx : xxxxxxxxxxxxx. > 0A 44 65 70 74 68 3A 20 30 0D 0A 52 56 50 2D 4E .Depth: 0..RVP-N > 6F 74 69 66 69 63 61 74 69 6F 6E 73 2D 56 65 72 otifications-Ver > 73 69 6F 6E 3A 20 30 2E 32 0D 0A 52 56 50 2D 46 sion: 0.2..RVP-F > 72 6F 6D 2D 50 72 69 6E 63 69 70 61 6C 3A 20 68 rom-Principal: h > 74 74 70 3A 2F 2F 69 6D 2E 63 70 71 63 6F 72 70 ttp://im.cpqcorp > 2E 6E 65 74 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 .net/instms61 73 > 65 73 2F 72 69 63 68 61 72 64 2E 6C 75 73 ases/richard.lus > 68 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B h..Connection: K > 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A 3C 3F 78 eep-Alive....<?x > 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 ml version="1.0" > 3F 3E 0A 3C 64 3A 70 72 6F 70 66 69 6E 64 20 78 ?>.<d:propfind x > 6D 6C 6E 73 3A 64 3D 27 44 41 56 3A 27 20 78 6D mlns:d='DAV:' xm > 6C 6E 73 3A 72 3D 27 68 74 74 70 3A 2F 2F 73 63 lns:r='http://sc > 68 65 6D 61 73 2E 6D 69 63 72 6F 73 6F 66 74 2E hemas.microsoft. > 63 6F 6D 2F 72 76 70 2F 27 3E 3C 64 3A 70 72 6F com/rvp/'><d:pro > 70 3E 3C 72 3A 73 74 61 74 65 2F 3E 3C 64 3A 64 p><r:state/><d:d > 69 73 70 6C 61 79 6E 61 6D 65 2F 3E 3C 72 3A 65 isplayname/><r:e > 6D 61 69 6C 2F 3E 3C 2F 64 3A 70 72 6F 70 3E 3C mail/></d:prop>< > 2F 64 3A 70 72 6F 70 66 69 6E 64 3E /d:propfind> > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+ > > > > > -----Original Message----- > > From: McCammon, Keith [mailto:Keith.McCammonat_private] > > Sent: Friday, September 07, 2001 1:46 PM > > > > Can anyone explain to me what's happening here? WebDAV is > > disabled on the > > target web server per the MS procedure. Pat Sellers is an internal > > employee. I've seen several employee names coming accross in > > this fashion, > > and it's starting to get bothersome. Unfortunately, I don't > > know much about > > WebDAV requests/replies (which is, of course, why I've kept > > it disabled). > > > > Any help would be appreciated. > > > > Keith > > > > [**] IDS475/web-iis_web-webdav-propfind [**] > > 09/07-13:57:13.692020 65.201.42.82:58299 -> X.X.X.X:80 > > TCP TTL:115 TOS:0x0 ID:44852 IpLen:20 DgmLen:319 DF > > ***AP*** Seq: 0xF92DC1E4 Ack: 0xB60B6704 Win: 0x4000 TcpLen: 20 > > 50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73 PROPFIND /instms > > 67 2F 61 6C 69 61 73 65 73 2F 70 61 74 2E 73 65 > 6C 6C 65 72 > 73 20 48 54 54 50 2F 31 2E 30 0D 0A llers HTTP/1.0.. > > 56 69 61 3A 20 31 2E 31 20 57 48 49 54 45 48 4F Via: 1.1 WHITEHO > > 52 53 45 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E RSE..Content-Len > > 67 74 68 3A 20 31 35 39 0D 0A 43 6F 6E 74 65 6E gth: 159..Conten > > 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C t-Type: text/xml > > 0D 0A 48 6F 73 74 3A 20 65 61 64 76 61 6E 63 65 ..Host: ourdomai > > 6D 65 64 2E 63 6F 6D 0D 0A 44 65 70 74 68 3A 20 n.com..Depth: > > 30 0D 0A 52 56 50 2D 4E 6F 74 69 66 69 63 61 74 0..RVP-Notificat > > 69 6F 6E 73 2D 56 65 72 73 69 6F 6E 3A 20 30 2E ions-Version: 0. > > 32 0D 0A 52 56 50 2D 46 72 6F 6D 2D 50 72 69 6E 2..RVP-From-Prin > > 63 69 70 61 6C 3A 20 68 74 74 70 3A 2F 2F 69 6D cipal: http://im > > 2E 73 73 69 61 64 76 61 6E 74 61 67 65 2E 63 6F .ssiadvantage.co > > 6D 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 61 73 65 m/instms> 73 2F > 65 63 61 72 72 6F 7A 7A 61 0D 0A 43 6F 6E s/ecarrozza..Con > > 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al > > 69 76 65 0D 0A 0D 0A ive.... > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.8 > Comment: Free Dmitry Sklyarov ! > > iQOHnkJqvaclO5A+98Rxf1UGsK > =RjeX > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------- > --------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http: > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 12:28:40 PDT