[logs] RE: IIS/WebDAV and logging

From: DePriest, Jason R. (jrdepriestat_private)
Date: Wed Mar 19 2003 - 12:58:18 PST

  • Next message: Kevin W. Gagel: "Re: [logs] IIS/WebDAV and logging"

    It will show up if you are using URLScan with something like this:
    [03-18-2003 - 14:21:26] Client at 10.226.39.107: Sent verb 'PROPFIND', which
    is not specifically allowed. Request will be rejected.
    
    The actual message depends on how you are trying to exploit it.  This was
    generated by using Guninski's sample exploit perl script.
    
    -Jason
    
    > -----Original Message-----
    > From: Tina Bird [mailto:tbird@precision-guesswork.com] 
    > Sent: Wednesday, March 19, 2003 2:36 PM
    > To: loganalysisat_private; intrusionsat_private
    > Cc: Rainer Gerhards
    > Subject: IIS/WebDAV and logging
    > 
    > 
    > Hi all --
    > 
    > It would appear that exploits of MS03-007 are not going to 
    > create entries
    > in the IIS access logs.  IIS doesn't log until a client request is
    > finished processing.  When the WebDAV vector is used to overflow
    > whatever-it-is in ntdll.dll, the client request never 
    > finishes, so no log
    > message is ever created.
    > 
    > There's no reason I can think of to expect this to create 
    > anything in the
    > Event Log, either.  So looks to me like the only way to see 
    > this will be
    > with network-based IDS -- or maybe one of the host IDS systems that
    > captures information on privilege escalation and kernel calls 
    > on Windows
    > boxes (and I'm not sure that such a thing even exists yet).  
    > Although boy
    > I'd be delighted to find out I was wrong about this...
    > 
    > Thanks to Rainer Gerhards, who's taught me nearly everything 
    > I know about
    > IIS workflow and logging.
    > 
    > tbird
    > 
    > -- 
    > "I knew it! I knew it! Well, not in the sense of having the slightest
    > idea, but I knew there was something I didn't know."
    >                                  -- Willow, from "Buffy the 
    > Vampire Slayer"
    > 
    http://www.shmoo.com/~tbird
    Log Analysis http://www.loganalysis.org
    VPN http://vpn.shmoo.com
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 13:38:56 PST