Re: Strange log entries

[Jason Kohles <jkohles () redhat com>]

On Fri, 2002-12-20 at 12:45, Mike Heitz wrote:
> I've run across a couple log entries on my OWA server. I'm pretty new to
> security (about a decade as a network admin, now taking on more and more
> responsibility) and have Googled the Propfind command... only a handful
> of results (including a MS Whitepaper I am currently reading).
>
> Does anyone know what this is exactly? We do not have Instant Messaging
> enabled on the server... my main concern is that the Username that was
> listed was my own!!! I've used Visual Route to trace the IP addresses
> back with marginal success (one got lost after a bunch of hops and the
> other ended up in Pittsburgh, PA).
It's the microsoft instant messenger trying to find information about
you, it's mostly harmless.  The reason that it contains your username is
that it's based on email address, so to find IM details for
bob () somewhere com, it does a PROPFIND on the url
http://somewhere.com/instmsg/aliases/bob.

All it means is someone got email from you, and looked to see if you had
compatible instant messaging as well (their mail clients may even do
this check automatically, I'm not sure).

> Any ideas or info would be greatly appreciated. Thanks!
>
> 2002-12-19 17:35:28 65.119.193.141 - 192.168.43.17 80 PROPFIND
> /instmsg/aliases/<username> - 404 -
>
> then a short time later
>
> 2002-12-19 20:54:13 141.189.251.1 - 192.168.43.17 80 PROPFIND
> /instmsg/aliases/<username> - 404 -
>
>
> mike heitz ** sr it manager ** UPSHOT
> 312-943-0900 x5190
-- 
Jason Kohles                                 jkohles () redhat com
Senior Engineer                 Red Hat Professional Consulting