[Snort-users] odd little sequence PROPFIND -

Mark Rowlands mark.rowlands at ...752...
Fri Nov 2 13:37:04 EST 2001


I received this little lot inside 30 seconds.....any one care to hit me with 
a clue stick.....fwiw  the client says ie 6.0b  nt 5.1.....and downloaded a 
couple of files quite acceptably and then ran riot with this lot :-    some 
extracts from the apache log are included. (apache 2.0 without mod_dav!)

my real question is.....is the some sort of attempt to gain privilege  or 
info or is it  just normally obnoxious behaviour from  IE6?

WEB-IIS _vti_inf access	2001-11-0207:58:27	4.3.2.1:51659	1.2.3.4:80	TCP
WEB-IIS _vti_inf access	2001-11-0207:58:27	4.3.2.1:51659	1.2.3.4:80	TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access	2001-11-0207:58:27	4.3.2.1:51660	
1.2.3.4:80	TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access	2001-11-0207:58:27	4.3.2.1:51660	
1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:38	
4.3.2.1:51661	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:38	
4.3.2.1:51661	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:38	
4.3.2.1:51661	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:38	
4.3.2.1:51661	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:38	
4.3.2.1:51661	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:38	
4.3.2.1:51661	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:38	
4.3.2.1:51661	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:38	
4.3.2.1:51661	1.2.3.4:80	TCP
  WEB-IIS _vti_inf access	2001-11-0207:58:42	4.3.2.1:51660	1.2.3.4:80	TCP
  WEB-IIS _vti_inf access	2001-11-0207:58:42	4.3.2.1:51660	1.2.3.4:80	TCP

[bugtraq] WEB-FRONTPAGE _vti_rpc access	2001-11-02 07:58:42	4.3.2.1:51663	
1.2.3.4:80	TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access	2001-11-02 07:58:42	4.3.2.1:51663	
1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:52	
4.3.2.1:51661	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:52	
4.3.2.1:51661	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:52	
4.3.2.1:51661	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:58:52	
4.3.2.1:51661	1.2.3.4:80	TCP
  WEB-IIS _vti_inf access	2001-11-0207:58:59	4.3.2.1:51665	1.2.3.4:80	TCP
  WEB-IIS _vti_inf access	2001-11-0207:58:59	4.3.2.1:51665	1.2.3.4:80	TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access	2001-11-0207:58:59	4.3.2.1:51666	
1.2.3.4:80	TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access	2001-11-0207:58:59	4.3.2.1:51666	
1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:59:09	
4.3.2.1:51667	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:59:09	
4.3.2.1:51667	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:59:09	
4.3.2.1:51667	1.2.3.4:80	TCP
  [arachNIDS] WEB-IIS view source via translate header	2001-11-0207:59:09	
4.3.2.1:51667	1.2.3.4:80	TCP

APACHE LOGS

"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"GET /web2/incoming/QB/Identifying%20_client_requirements.doc HTTP/1.1" 200 
47104 "http://1.2.3.4/web2/incoming/QB/" "Mozilla/4.0 (compatible; MSIE 6.0b; 
Windows NT 5.1)"
"OPTIONS /web2/incoming/QB HTTP/1.1" 200 0 "-" "Microsoft Data Access 
Internet Publishing Provider Cache Manager"
"GET /_vti_inf.html HTTP/1.1" 404 274 "-" "Mozilla/2.0 (compatible; MS 
FrontPage 4.0)"
"POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 404 288 "-" "MSFrontPage/4.0"
"OPTIONS /web2/incoming/QB/Identifying%20_client_requirements.doc HTTP/1.1" 
200 0 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"GET /web2/incoming/QB/Print%20Servers.doc HTTP/1.1" 200 31744 
"http://1.2.3.4/web2/incoming/QB/" "Mozilla/4.0 (compatible; MSIE 6.0b; 
Windows NT 5.1)"
"OPTIONS /web2/incoming/QB HTTP/1.1" 200 0 "-" "Microsoft Data Access 
Internet Publishing Provider Cache Manager"
"GET /_vti_inf.html HTTP/1.1" 404 274 "-" "Mozilla/2.0 (compatible; MS 
FrontPage 4.0)"
"POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 404 288 "-" "MSFrontPage/4.0"
"OPTIONS /web2/incoming/QB/Print%20Servers.doc HTTP/1.1" 200 0 "-" "Microsoft 
Data Access Internet Publishing Provider DAV 1.1"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"






-- 
You're not my type.  For that matter, you're not even my species!!!




More information about the Snort-users mailing list