It will show up if you are using URLScan with something like this: [03-18-2003 - 14:21:26] Client at 10.226.39.107: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected. The actual message depends on how you are trying to exploit it. This was generated by using Guninski's sample exploit perl script. -Jason > -----Original Message----- > From: Tina Bird [mailto:tbird@precision-guesswork.com] > Sent: Wednesday, March 19, 2003 2:36 PM > To: loganalysisat_private; intrusionsat_private > Cc: Rainer Gerhards > Subject: IIS/WebDAV and logging > > > Hi all -- > > It would appear that exploits of MS03-007 are not going to > create entries > in the IIS access logs. IIS doesn't log until a client request is > finished processing. When the WebDAV vector is used to overflow > whatever-it-is in ntdll.dll, the client request never > finishes, so no log > message is ever created. > > There's no reason I can think of to expect this to create > anything in the > Event Log, either. So looks to me like the only way to see > this will be > with network-based IDS -- or maybe one of the host IDS systems that > captures information on privilege escalation and kernel calls > on Windows > boxes (and I'm not sure that such a thing even exists yet). > Although boy > I'd be delighted to find out I was wrong about this... > > Thanks to Rainer Gerhards, who's taught me nearly everything > I know about > IIS workflow and logging. > > tbird > > -- > "I knew it! I knew it! Well, not in the sense of having the slightest > idea, but I knew there was something I didn't know." > -- Willow, from "Buffy the > Vampire Slayer" > http://www.shmoo.com/~tbird Log Analysis http://www.loganalysis.org VPN http://vpn.shmoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 13:38:56 PST