Snort mailing list archives

Previous By Date Next
Previous By Thread Next

odd little sequence PROPFIND -

From: Mark Rowlands <mark.rowlands () minmail net>
Date: Fri, 2 Nov 2001 22:37:36 +0100
I received this little lot inside 30 seconds.....any one care to hit me with 
a clue stick.....fwiw  the client says ie 6.0b  nt 5.1.....and downloaded a 
couple of files quite acceptably and then ran riot with this lot :-    some 
extracts from the apache log are included. (apache 2.0 without mod_dav!)

my real question is.....is the some sort of attempt to gain privilege  or 
info or is it  just normally obnoxious behaviour from  IE6?

WEB-IIS _vti_inf access 2001-11-0207:58:27      4.3.2.1:51659   1.2.3.4:80      TCP
WEB-IIS _vti_inf access 2001-11-0207:58:27      4.3.2.1:51659   1.2.3.4:80      TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access       2001-11-0207:58:27      4.3.2.1:51660   
1.2.3.4:80      TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access       2001-11-0207:58:27      4.3.2.1:51660   
1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:38      
4.3.2.1:51661   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:38      
4.3.2.1:51661   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:38      
4.3.2.1:51661   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:38      
4.3.2.1:51661   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:38      
4.3.2.1:51661   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:38      
4.3.2.1:51661   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:38      
4.3.2.1:51661   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:38      
4.3.2.1:51661   1.2.3.4:80      TCP
  WEB-IIS _vti_inf access       2001-11-0207:58:42      4.3.2.1:51660   1.2.3.4:80      TCP
  WEB-IIS _vti_inf access       2001-11-0207:58:42      4.3.2.1:51660   1.2.3.4:80      TCP

[bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-02 07:58:42     4.3.2.1:51663   
1.2.3.4:80      TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access       2001-11-02 07:58:42     4.3.2.1:51663   
1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:52      
4.3.2.1:51661   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:52      
4.3.2.1:51661   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:52      
4.3.2.1:51661   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:58:52      
4.3.2.1:51661   1.2.3.4:80      TCP
  WEB-IIS _vti_inf access       2001-11-0207:58:59      4.3.2.1:51665   1.2.3.4:80      TCP
  WEB-IIS _vti_inf access       2001-11-0207:58:59      4.3.2.1:51665   1.2.3.4:80      TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access       2001-11-0207:58:59      4.3.2.1:51666   
1.2.3.4:80      TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access       2001-11-0207:58:59      4.3.2.1:51666   
1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:59:09      
4.3.2.1:51667   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:59:09      
4.3.2.1:51667   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:59:09      
4.3.2.1:51667   1.2.3.4:80      TCP
  [arachNIDS] WEB-IIS view source via translate header  2001-11-0207:59:09      
4.3.2.1:51667   1.2.3.4:80      TCP

APACHE LOGS

"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"GET /web2/incoming/QB/Identifying%20_client_requirements.doc HTTP/1.1" 200 
47104 "http://1.2.3.4/web2/incoming/QB/"; "Mozilla/4.0 (compatible; MSIE 6.0b; 
Windows NT 5.1)"
"OPTIONS /web2/incoming/QB HTTP/1.1" 200 0 "-" "Microsoft Data Access 
Internet Publishing Provider Cache Manager"
"GET /_vti_inf.html HTTP/1.1" 404 274 "-" "Mozilla/2.0 (compatible; MS 
FrontPage 4.0)"
"POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 404 288 "-" "MSFrontPage/4.0"
"OPTIONS /web2/incoming/QB/Identifying%20_client_requirements.doc HTTP/1.1" 
200 0 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"GET /web2/incoming/QB/Print%20Servers.doc HTTP/1.1" 200 31744 
"http://1.2.3.4/web2/incoming/QB/"; "Mozilla/4.0 (compatible; MSIE 6.0b; 
Windows NT 5.1)"
"OPTIONS /web2/incoming/QB HTTP/1.1" 200 0 "-" "Microsoft Data Access 
Internet Publishing Provider Cache Manager"
"GET /_vti_inf.html HTTP/1.1" 404 274 "-" "Mozilla/2.0 (compatible; MS 
FrontPage 4.0)"
"POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 404 288 "-" "MSFrontPage/4.0"
"OPTIONS /web2/incoming/QB/Print%20Servers.doc HTTP/1.1" 200 0 "-" "Microsoft 
Data Access Internet Publishing Provider DAV 1.1"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"






-- 
You're not my type.  For that matter, you're not even my species!!!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: