new stuff in web logs, strange

Robert0380 · 09-26-2003, 09:29 AM

this looks like some kind of exploit for IIS or whatever but i have a lot of this in my httpd access_log:

Code:

ip.address.was.here - - [25/Sep/2003:15:20:35 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here- - [25/Sep/2003:15:20:38 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:20:41 -0400] "PROPFIND / HTTP/1.1" 405 244 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:22:11 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:22:11 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:22:11 -0400] "PROPFIND / HTTP/1.1" 405 244 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:22:12 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here- - [25/Sep/2003:15:22:12 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:22:12 -0400] "PROPFIND / HTTP/1.1" 405 244 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:28:05 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:28:05 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:28:08 -0400] "PROPFIND / HTTP/1.1" 405 244 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:43:33 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:43:33 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here- - [25/Sep/2003:15:43:33 -0400] "PROPFIND / HTTP/1.1" 405 244 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
ip.address.was.here - - [25/Sep/2003:15:49:39 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

i know it's not hurting my box at all, but because i help to administer this network (tech-support really), i'd like to know what that is so i can take any needed action to clean those systems if need be.

phoeniXflame · 09-27-2003, 05:33 AM

could be random webdav scans, shouldnt worry too much, my perimeter ids picks up scans like that on a daily basis, I assume performed by script kiddies scanning huge ip blocks for vunerable systems