Use of HEAD in web server scan

[Russell Fulton <r.fulton () auckland ac nz>]

I had not seen this before so I thought others might be interested.

Last night someone (working through a machine in China :( ) attacked 
our main campus web server.  Snort logged over 600 pobes.  I asked the 
webserver support staff to check the logs to make sure that everything 
as OK and they came back very puzzled:  they could find hardly any 
traffic from the IP and what there was was perfectly innocent.  

I went back to the snort logs and had a look at the packet dumps and 
found that they were all HEAD requests which appear not to be logged by 
IIS.

The tool used uses HEAD request to establish if certain vulnerabilities 
exist, these include various directory traversal vulnerabilities, the 
presence of vulnerable cgi scripts etc.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com