New Virus/Worm - Frontpage?

From: Clinton Smith (festiveat_private)
Date: Wed Jan 30 2002 - 18:46:42 PST

  • Next message: Jay D. Dyson: "Re: formmail - abuse contact for broadwing.net?"

    NOTE TO MODERATOR:
    I tried to send this before - but no luck.
    If the message is inappropriate or malformed
    please advise.
    
    
    
    I have seen some unusual traffic in my logs that look like something new:
    (It appears to be automated / or a tool)
    
    Traffic Pattern is as follows:
    
    STANDARD RANDOM SRC PORT -> WEBSERVER (80)
    (24 Requests in Total over 1 second)
    
    -------------------------------------------------------------
    (3 of these)
    OPTIONS /home/ HTTP/1.1
    Translate: f
    User-Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery
    Host: my.website.com
    Content-Length: 0
    Connection: Keep-Alive
    
    (2 of these)
    GET /_vti_inf.html HTTP/1.1
    Date: Tue, 29 Jan 2002 02:33:55 GMT
    MIME-Version: 1.0
    Accept: */*
    User-Agent: Mozilla/2.0 (compatible; MS FrontPage 5.0)
    Host: my.website.com
    Accept: auth/sicily
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    
    (1 of these)
    OPTIONS / HTTP/1.1
    Translate: f
    User-Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery
    Host: my.website.com
    Content-Length: 0
    Connection: Keep-Alive
    
    (1 of these)
    POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1
    Date: Tue, 29 Jan 2002 02:33:58 GMT
    MIME-Version: 1.0
    User-Agent: MSFrontPage/5.0
    Host: my.website.com
    Accept: auth/sicily
    Content-Length: 41
    Content-Type: application/x-www-form-urlencoded
    X-Vermeer-Content-Type: application/x-www-form-urlencoded
    Connection: Keep-Alive
    Cache-Control: no-cache
    
    method=server+version%3a5%2e0%2e2%2e2623
    
    (3 of these)
    OPTIONS /home/ HTTP/1.1
    Translate: f
    User-Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery
    Host: my.website.com
    Content-Length: 0
    Connection: Keep-Alive
    
    (1 of these)
    POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1
    Date: Tue, 29 Jan 2002 02:34:04 GMT
    MIME-Version: 1.0
    User-Agent: MSFrontPage/5.0
    Host: my.website.com
    Accept: auth/sicily
    Content-Length: 41
    Content-Type: application/x-www-form-urlencoded
    X-Vermeer-Content-Type: application/x-www-form-urlencoded
    Connection: Keep-Alive
    Cache-Control: no-cache
    
    method=server+version%3a5%2e0%2e2%2e2623
    
    (1 of these)
    GET /_vti_inf.html HTTP/1.1
    Date: Tue, 29 Jan 2002 02:34:03 GMT
    MIME-Version: 1.0
    Accept: */*
    User-Agent: Mozilla/2.0 (compatible; MS FrontPage 5.0)
    Host: my.website.com
    Accept: auth/sicily
    Content-Length: 0
    Connection: Keep-Alive
    Cache-Control: no-cache
    
    (8 of these)
    PROPFIND /home/ HTTP/1.1
    Depth: 0
    translate: f
    User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600
    Host: my.website.com
    Content-Length: 0
    Connection: Keep-Alive
    Pragma: no-cache
    
    -------------------------------------------------------------
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 09:17:35 PST