IIS4 Logs

[dboyd () CA UKY EDU (Daniel K. Boyd)]

Reading the IIS4 logs of one of our boxes found these goodies. Is it
possible that there is an innocent explantion for this? We have a few remote
users that use this ISP (assuming the IP is legit) and I would hate to
incorrectly submit a complaint due to my cluelessness. Also, there are no
forms on this box or forms that POST to this box. I don't understand the
"OPTIONS" entry in the last line. Looks very much like an attempt to exploit
to me. Like something right out of what I would expect to see if I ran the
Cerberus scanner. Remedies for the DVWSSR.DLL exploit and the shtml.exe have
been applied to this box.

Any feedback will be greatly appreciated.

209.250.45.86 - - [24/May/2000:11:50:53 -0500] "POST
/_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 405 367
209.250.45.86 - - [24/May/2000:11:50:54 -0500] "GET /_vti_inf.html HTTP/1.1"
404 270
209.250.45.86 - - [24/May/2000:11:50:55 -0500] "POST
/_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 405 367
209.250.45.86 - - [24/May/2000:11:50:56 -0500] "OPTIONS / HTTP/1.1" 200 190

---
Daniel K. Boyd