Security Incidents mailing list archives
Re: RE: WebDAV Propfind? Anyone?
From: "Floris Meester" <floris.meester () marviQ com>
Date: Sat, 08 Sep 2001 14:14:56 +0200
It does not matter what it is, propfind is known to give a heavy load on a machine, so you can use it as a D0s tool to bring someone down jakarta advises to bring some security on the use of propfind cheers flo Brady's First Law of Problem Solving: When confronted by a difficult problem, you can solve it more easily by reducing it to the question, "How would the Lone Ranger have handled this?" ----- Original Message ----- From: Frank Knobbe <FKnobbe () KnobbeITS com> Date: Saturday, September 8, 2001 0:19 am Subject: RE: WebDAV Propfind? Anyone?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Keith, I've been receiving these on occasion as well. I had contacted Compaq about the one listed below, but never heard back from them. I don't think these are intrusion attempts since all of them contain 'PROPFIND /instmssoftware that checks for an instant messaging directory of some sort. But what app is that? MS Messenger? Regards, Frank - --->8--- [**] WEB-MISC webdav propfind access [**] 07/31-03:18:39.633156 207.122.110.166:2545 -> x.x.x.x:80 TCP TTL:114 TOS:0x0 ID:20581 IpLen:20 DgmLen:468 DF ***AP*** Seq: 0x5EB05800 Ack: 0xAEEBAEB Win: 0x2238 TcpLen: 20 50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73 PROPFIND /instms 67 2F 61 6C 69 61 73 65 73 2F 66 6B 6E 6F 62 62 65 20 48 54 54 50 2F 31 2E 30 0D 0A 56 69 61 3A e HTTP/1.0..Via: 20 31 2E 30 20 50 52 58 52 45 4F 30 33 0D 0A 43 1.0 PRXREO03..C 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 ontent-Length: 1 35 39 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 59..Content-Type 3A 20 74 65 78 74 2F 78 6D 6C 0D 0A 48 6F 73 74 : text/xml..Host 3A 20 xx xx xx xx xx xx xx xx xx xx xx xx xx xx : xxxxxxxxxxxxx. 0A 44 65 70 74 68 3A 20 30 0D 0A 52 56 50 2D 4E .Depth: 0..RVP-N 6F 74 69 66 69 63 61 74 69 6F 6E 73 2D 56 65 72 otifications-Ver 73 69 6F 6E 3A 20 30 2E 32 0D 0A 52 56 50 2D 46 sion: 0.2..RVP-F 72 6F 6D 2D 50 72 69 6E 63 69 70 61 6C 3A 20 68 rom-Principal: h 74 74 70 3A 2F 2F 69 6D 2E 63 70 71 63 6F 72 70 ttp://im.cpqcorp 2E 6E 65 74 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 .net/instms61 73 65 73 2F 72 69 63 68 61 72 64 2E 6C 75 73 ases/richard.lus 68 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B h..Connection: K 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A 3C 3F 78 eep-Alive....<?x 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 ml version="1.0" 3F 3E 0A 3C 64 3A 70 72 6F 70 66 69 6E 64 20 78 ?>.<d:propfind x 6D 6C 6E 73 3A 64 3D 27 44 41 56 3A 27 20 78 6D mlns:d='DAV:' xm 6C 6E 73 3A 72 3D 27 68 74 74 70 3A 2F 2F 73 63 lns:r='http://sc 68 65 6D 61 73 2E 6D 69 63 72 6F 73 6F 66 74 2E hemas.microsoft. 63 6F 6D 2F 72 76 70 2F 27 3E 3C 64 3A 70 72 6F com/rvp/'><d:pro 70 3E 3C 72 3A 73 74 61 74 65 2F 3E 3C 64 3A 64 p><r:state/><d:d 69 73 70 6C 61 79 6E 61 6D 65 2F 3E 3C 72 3A 65 isplayname/><r:e 6D 61 69 6C 2F 3E 3C 2F 64 3A 70 72 6F 70 3E 3C mail/></d:prop>< 2F 64 3A 70 72 6F 70 66 69 6E 64 3E /d:propfind> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+-----Original Message----- From: McCammon, Keith [mailto:Keith.McCammon () eadvancemed com] Sent: Friday, September 07, 2001 1:46 PM Can anyone explain to me what's happening here? WebDAV is disabled on the target web server per the MS procedure. Pat Sellers is an internal employee. I've seen several employee names coming accross in this fashion, and it's starting to get bothersome. Unfortunately, I don't know much about WebDAV requests/replies (which is, of course, why I've kept it disabled). Any help would be appreciated. Keith [**] IDS475/web-iis_web-webdav-propfind [**] 09/07-13:57:13.692020 65.201.42.82:58299 -> X.X.X.X:80 TCP TTL:115 TOS:0x0 ID:44852 IpLen:20 DgmLen:319 DF ***AP*** Seq: 0xF92DC1E4 Ack: 0xB60B6704 Win: 0x4000 TcpLen: 20 50 52 4F 50 46 49 4E 44 20 2F 69 6E 73 74 6D 73 PROPFIND /instms 67 2F 61 6C 69 61 73 65 73 2F 70 61 74 2E 73 65 > 6C 6C 65 7273 20 48 54 54 50 2F 31 2E 30 0D 0A llers HTTP/1.0..56 69 61 3A 20 31 2E 31 20 57 48 49 54 45 48 4F Via: 1.1 WHITEHO 52 53 45 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E RSE..Content-Len 67 74 68 3A 20 31 35 39 0D 0A 43 6F 6E 74 65 6E gth: 159..Conten 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C t-Type: text/xml 0D 0A 48 6F 73 74 3A 20 65 61 64 76 61 6E 63 65 ..Host: ourdomai 6D 65 64 2E 63 6F 6D 0D 0A 44 65 70 74 68 3A 20 n.com..Depth: 30 0D 0A 52 56 50 2D 4E 6F 74 69 66 69 63 61 74 0..RVP-Notificat 69 6F 6E 73 2D 56 65 72 73 69 6F 6E 3A 20 30 2E ions-Version: 0. 32 0D 0A 52 56 50 2D 46 72 6F 6D 2D 50 72 69 6E 2..RVP-From-Prin 63 69 70 61 6C 3A 20 68 74 74 70 3A 2F 2F 69 6D cipal: http://im 2E 73 73 69 61 64 76 61 6E 74 61 67 65 2E 63 6F .ssiadvantage.co 6D 2F 69 6E 73 74 6D 73 67 2F 61 6C 69 61 73 65 m/instms> 73 2F65 63 61 72 72 6F 7A 7A 61 0D 0A 43 6F 6E s/ecarrozza..Con6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al 69 76 65 0D 0A 0D 0A ive....-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: Free Dmitry Sklyarov ! iQOHnkJqvaclO5A+98Rxf1UGsK =RjeX -----END PGP SIGNATURE----- ------------------------------------------------------------------- --------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- WebDAV Propfind? Anyone? McCammon, Keith (Sep 07)
- Re: WebDAV Propfind? Anyone? Todd Ransom (Sep 10)
- <Possible follow-ups>
- RE: WebDAV Propfind? Anyone? Frank Knobbe (Sep 07)
- RE: WebDAV Propfind? Anyone? McCammon, Keith (Sep 08)
- Re: RE: WebDAV Propfind? Anyone? Floris Meester (Sep 08)