RE: WebDAV Propfind? Anyone?

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

It certainly seems logical that it's some type of instant messaging
application.  And as you mentioned, I'm fairly certain that they aren't
malicious system probes.  But then again, I'm not running a propfind server,
so that makes the traffic/requests illegitimate.

Anyway, what really stumps me is the fact that the host being contacted with
all of these "user names" is just a web server.  No one surfs from that box.
It doesn't share that public address with any other systems or services.
There is no domain affiliation.  Nothing.  I can't, for the life of me,
figure out how and why this host is being contacted with this (quite
specific) information.

Keith 

-----Original Message-----
From: Frank Knobbe [mailto:FKnobbe () KnobbeITS com]
Sent: Friday, September 07, 2001 6:19 PM
To: 'McCammon, Keith'; 'incidents () securityfocus com'
Subject: RE: WebDAV Propfind? Anyone?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keith,

I've been receiving these on occasion as well. I had contacted Compaq
about the one listed below, but never heard back from them. I don't
think these are intrusion attempts since all of them contain
'PROPFIND /instmsg/aliases/somename'. Seems to be some kind of
software that checks for an instant messaging directory of some sort.
But what app is that? MS Messenger?

Regards,
Frank

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com