Security Incidents mailing list archives
Re: IIS4 Logs
From: lurker () ITIS COM (M J)
Date: Thu, 25 May 2000 14:55:10 -0000
You will see this type of activity in your HTTP logs when somebody tries to connect or list web sites via FrontPage. You may also see it from a vulnerability scanner. This is obviously automated (via application, script, or utility) because of the time on the logs - 1 second intervals. (You can telnet to port 80 and issue these same commands manually - the results will be the same) 209.250.45.86 - - [24/May/2000:11:50:53 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 405 367 (Sounds like you've patched this but if it's not, one can gather the installation path/drive) 209.250.45.86 - - [24/May/2000:11:50:54 - 500] "GET /_vti_inf.html HTTP/1.1" 404 270 (FrontPage installation information) 209.250.45.86 - - [24/May/2000:11:50:55 -0500] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 405 367 209.250.45.86 - - [24/May/2000:11:50:56 -0500] "OPTIONS / HTTP/1.1" 200 190 (OPTIONS will show you what methods are allowed by the server on a particular site or directory. For example if you telnet to port 80 and issue OPTIONS / HTTP/1.1 and hit enter twice, the web server MAY tell you what options are allowed for that HTTP version (i.e. POST, HEAD, GET, PUT, TRACE, etc.)) Here's what Microsoft shows... telnet www.microsoft.com:80 OPTIONS / HTTP/1.1 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 25 May 2000 14:41:16 GMT MS-Author-Via: DAV Content-Length: 0 Accept-Ranges: none DASL: <DAV:sql> DAV: 1, 2 Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIN D, PROPPATCH, LOCK, UNLOCK, SEARCH Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK Cache-Control: private If you are interested you can read RFC2068(obsolete) or RFC2616 for HTTP 1.1 at ftp://ftp.isi.edu/in- notes/rfc2616.txt Hope this helps. -Matthew PS: While we are on the topic - does anyone know where to find more information on the "new" methods allowed in IIS5? (such as PROPFIN, LOCK, UNLOCK, PROPPATCH, MCOL, etc.) Thanks! -m
Current thread:
- IIS4 Logs Daniel K. Boyd (May 24)
- Single packet per IP# port 137 scan Bryan Andersen (May 25)
- incident input re: FBI Laura Taylor (May 25)
- Re: IIS4 Logs M J (May 25)
- <Possible follow-ups>
- Re: IIS4 Logs rain forest puppy (May 25)