Security Incidents mailing list archives

Re: RE: WebDAV Propfind? Anyone?

From: "Floris Meester" <floris.meester () marviQ com>
Date: Sat, 08 Sep 2001 14:14:56 +0200


It does not matter what it is, propfind is known
to give a heavy load on a machine, so you can use
it as a D0s tool to bring someone down
jakarta advises to bring some security on the
use of propfind
cheers flo

Brady's First Law of Problem Solving:
        When confronted by a difficult problem, you can solve it more
easily by reducing it to the question, "How would the Lone Ranger have
handled this?"

----- Original Message -----
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Saturday, September 8, 2001 0:19 am
Subject: RE: WebDAV Propfind?  Anyone?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keith,

I've been receiving these on occasion as well. I had contacted Compaq
about the one listed below, but never heard back from them. I don't
think these are intrusion attempts since all of them contain
'PROPFIND /instmssoftware that checks for an instant messaging 
directory of some sort.
But what app is that? MS Messenger?

Regards,
Frank

- --->8---
[**] WEB-MISC webdav propfind access [**]
07/31-03:18:39.633156 207.122.110.166:2545 -> x.x.x.x:80
TCP TTL:114 TOS:0x0 ID:20581 IpLen:20 DgmLen:468 DF
***AP*** Seq: 0x5EB05800  Ack: 0xAEEBAEB  Win: 0x2238  TcpLen: 20
50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73  PROPFIND /instms
67 2F 61 6C 69 61 73 65 73 2F 66 6B 6E 6F 62 62  65 20 48 54 54 50 
2F 31 2E 30 0D 0A 56 69 61 3A  e HTTP/1.0..Via:
20 31 2E 30 20 50 52 58 52 45 4F 30 33 0D 0A 43   1.0 PRXREO03..C
6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31  ontent-Length: 1
35 39 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65  59..Content-Type
3A 20 74 65 78 74 2F 78 6D 6C 0D 0A 48 6F 73 74  : text/xml..Host
3A 20 xx xx xx xx xx xx xx xx xx xx xx xx xx xx  : xxxxxxxxxxxxx.
0A 44 65 70 74 68 3A 20 30 0D 0A 52 56 50 2D 4E  .Depth: 0..RVP-N
6F 74 69 66 69 63 61 74 69 6F 6E 73 2D 56 65 72  otifications-Ver
73 69 6F 6E 3A 20 30 2E 32 0D 0A 52 56 50 2D 46  sion: 0.2..RVP-F
72 6F 6D 2D 50 72 69 6E 63 69 70 61 6C 3A 20 68  rom-Principal: h
74 74 70 3A 2F 2F 69 6D 2E 63 70 71 63 6F 72 70  ttp://im.cpqcorp
2E 6E 65 74 2F 69 6E 73 74 6D 73 67 2F 61 6C 69  .net/instms61 73 
65 73 2F 72 69 63 68 61 72 64 2E 6C 75 73  ases/richard.lus
68 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B  h..Connection: K
65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A 3C 3F 78  eep-Alive....<?x
6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22  ml version="1.0"
3F 3E 0A 3C 64 3A 70 72 6F 70 66 69 6E 64 20 78  ?>.<d:propfind x
6D 6C 6E 73 3A 64 3D 27 44 41 56 3A 27 20 78 6D  mlns:d='DAV:' xm
6C 6E 73 3A 72 3D 27 68 74 74 70 3A 2F 2F 73 63  lns:r='http://sc
68 65 6D 61 73 2E 6D 69 63 72 6F 73 6F 66 74 2E  hemas.microsoft.
63 6F 6D 2F 72 76 70 2F 27 3E 3C 64 3A 70 72 6F  com/rvp/'><d:pro
70 3E 3C 72 3A 73 74 61 74 65 2F 3E 3C 64 3A 64  p><r:state/><d:d
69 73 70 6C 61 79 6E 61 6D 65 2F 3E 3C 72 3A 65  isplayname/><r:e
6D 61 69 6C 2F 3E 3C 2F 64 3A 70 72 6F 70 3E 3C  mail/></d:prop><
2F 64 3A 70 72 6F 70 66 69 6E 64 3E              /d:propfind>

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+

-----Original Message-----
From: McCammon, Keith [mailto:Keith.McCammon () eadvancemed com]
Sent: Friday, September 07, 2001 1:46 PM

Can anyone explain to me what's happening here?  WebDAV is 
disabled on the
target web server per the MS procedure.  Pat Sellers is an internal
employee.  I've seen several employee names coming accross in 
this fashion,
and it's starting to get bothersome.  Unfortunately, I don't 
know much about
WebDAV requests/replies (which is, of course, why I've kept 
it disabled).

Any help would be appreciated.

Keith

[**] IDS475/web-iis_web-webdav-propfind [**]
09/07-13:57:13.692020 65.201.42.82:58299 -> X.X.X.X:80
TCP TTL:115 TOS:0x0 ID:44852 IpLen:20 DgmLen:319 DF
***AP*** Seq: 0xF92DC1E4  Ack: 0xB60B6704  Win: 0x4000  TcpLen: 20
50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73  PROPFIND /instms
67 2F 61 6C 69 61 73 65 73 2F 70 61 74 2E 73 65  > 6C 6C 65 72

73 20 48 54 54 50 2F 31 2E 30 0D 0A  llers HTTP/1.0..

56 69 61 3A 20 31 2E 31 20 57 48 49 54 45 48 4F  Via: 1.1 WHITEHO
52 53 45 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E  RSE..Content-Len
67 74 68 3A 20 31 35 39 0D 0A 43 6F 6E 74 65 6E  gth: 159..Conten
74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C  t-Type: text/xml
0D 0A 48 6F 73 74 3A 20 65 61 64 76 61 6E 63 65  ..Host: ourdomai
6D 65 64 2E 63 6F 6D 0D 0A 44 65 70 74 68 3A 20  n.com..Depth: 
30 0D 0A 52 56 50 2D 4E 6F 74 69 66 69 63 61 74  0..RVP-Notificat
69 6F 6E 73 2D 56 65 72 73 69 6F 6E 3A 20 30 2E  ions-Version: 0.
32 0D 0A 52 56 50 2D 46 72 6F 6D 2D 50 72 69 6E  2..RVP-From-Prin
63 69 70 61 6C 3A 20 68 74 74 70 3A 2F 2F 69 6D  cipal: http://im
2E 73 73 69 61 64 76 61 6E 74 61 67 65 2E 63 6F  .ssiadvantage.co
6D 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 61 73 65  m/instms> 73 2F

65 63 61 72 72 6F 7A 7A 61 0D 0A 43 6F 6E  s/ecarrozza..Con

6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C  nection: Keep-Al
69 76 65 0D 0A 0D 0A                             ive....


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: Free Dmitry Sklyarov !

iQOHnkJqvaclO5A+98Rxf1UGsK
=RjeX
-----END PGP SIGNATURE-----

-------------------------------------------------------------------
---------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http:



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

WebDAV Propfind? Anyone? McCammon, Keith (Sep 07)
- Re: WebDAV Propfind? Anyone? Todd Ransom (Sep 10)
- <Possible follow-ups>
- RE: WebDAV Propfind? Anyone? Frank Knobbe (Sep 07)
- RE: WebDAV Propfind? Anyone? McCammon, Keith (Sep 08)
- Re: RE: WebDAV Propfind? Anyone? Floris Meester (Sep 08)