RE: Odd IIS log entries

["James C. Slora, Jr." <Jim.Slora () phra com>]

Jacob Hahn wrote Monday, April 28, 2003 1:27 PM

> The following is an IIS log entry, does anyone know if this is a known
> exploit. The "xxx" in the IP addresses was done to mask the server's
> identity.
>
> 2003-04-26 10:05:07 24.107.25.179 - 153.90.xxx.xxx 80 SEARCH
> /'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
> ''''''''''''''
<snip>
>  - 404
> 4240 65755 1078 HTTP/1.1 153.90.xxx.xxx - -

This looks like a common attempted WebDAV exploit of ntdll.dll, and appears to have been unsuccessful.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp

http://www.stanford.edu/group/itss-ccs/security/IIS-WebDAV.html

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------