Re: IIS4 Logs

[lurker () ITIS COM (M J)]

You will see this type of activity in your HTTP logs when 
somebody tries to connect or list web sites via FrontPage.  
You may also see it from a vulnerability scanner.  This is 
obviously automated (via application, script, or utility) 
because of the time on the logs - 1 second intervals.  (You 
can telnet to port 80 and issue these same commands 
manually - the results will be the same) 

209.250.45.86 - - [24/May/2000:11:50:53 -0500] "POST
/_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 405 367
(Sounds like you've patched this but if it's not, one can 
gather the installation path/drive)

209.250.45.86 - - [24/May/2000:11:50:54 - 
500] "GET /_vti_inf.html HTTP/1.1" 404 270
(FrontPage installation information)

209.250.45.86 - - [24/May/2000:11:50:55 -0500] "POST
/_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 405 367

209.250.45.86 - - [24/May/2000:11:50:56 -0500] "OPTIONS / 
HTTP/1.1" 200 190
(OPTIONS will show you what methods are allowed by the 
server on a particular site or directory.  For example if 
you telnet to port 80 and issue OPTIONS / HTTP/1.1 and hit 
enter twice, the web server MAY tell you what options are 
allowed for that HTTP version (i.e. POST, HEAD, GET, PUT, 
TRACE, etc.))

Here's what Microsoft shows...

telnet www.microsoft.com:80

OPTIONS / HTTP/1.1

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 25 May 2000 14:41:16 GMT
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL: <DAV:sql>
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, 
MOVE, MKCOL, PROPFIN
D, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, 
LOCK, UNLOCK
Cache-Control: private

If you are interested you can read RFC2068(obsolete) or 
RFC2616 for HTTP 1.1 at ftp://ftp.isi.edu/in-
notes/rfc2616.txt

Hope this helps.

-Matthew

PS: While we are on the topic - does anyone know where to 
find more information on the "new" methods allowed in IIS5? 
(such as PROPFIN, LOCK, UNLOCK, PROPPATCH, MCOL, etc.)

Thanks!

-m