SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. May 16, 2005, 00:36 #1
    jehoshua
    jehoshua is offline
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    590
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is this website abuse ?

    Hi,

    The following from our web server logs:

    219.65.238.129 - - [02/May/2005:05:02:29 -0400] "OPTIONS /A-personal-word-from-the-director.doc HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
    219.65.238.129 - - [02/May/2005:05:03:11 -0400] "PROPFIND /A-personal-word-from-the-director.doc HTTP/1.1" 405 358 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
    219.65.238.129 - - [02/May/2005:05:03:12 -0400] "PROPFIND /A-personal-word-from-the-director.doc HTTP/1.1" 405 358 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
    219.65.238.129 - - [02/May/2005:05:03:20 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Cache Manager"
    219.65.238.129 - - [02/May/2005:05:03:21 -0400] "GET /_vti_inf.html HTTP/1.1" 302 312 "-" "Mozilla/2.0 (compatible; MS FrontPage 4.0)"
    219.65.238.129 - - [02/May/2005:05:03:22 -0400] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 302 312 "-" "MSFrontPage/4.0"
    219.65.238.129 - - [02/May/2005:05:03:22 -0400] "OPTIONS /A-personal-word-from-the-director.doc HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
    219.65.238.129 - - [02/May/2005:05:03:26 -0400] "PROPFIND /A-personal-word-from-the-director.doc HTTP/1.1" 405 358 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
    219.65.238.129 - - [02/May/2005:05:03:27 -0400] "PROPFIND /A-personal-word-from-the-director.doc HTTP/1.1" 405 358 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
    219.65.238.129 - - [02/May/2005:05:03:27 -0400] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
    219.65.238.129 - - [02/May/2005:05:03:28 -0400] "PROPFIND /A-personal-word-from-the-director.doc HTTP/1.1" 405 358 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
    We don't have Front Page extentensions installed, so why would this visitor be doing this one .......

    219.65.238.129 - - [02/May/2005:05:03:22 -0400] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 302 312 "-" "MSFrontPage/4.0"
    and what is the PROPFIND method, is it a security exploit ?

    Thanks,

    Peter
  2. May 16, 2005, 01:55 #2
    HarryR
    HarryR is offline
    SitePoint Wizard HarryR's Avatar
    Join Date
    Dec 2004
    Location
    London, UK
    Posts
    1,376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,
    Personally it just looks like somebody who's gotten mixed up and tried to edit a document and upload it to th site (or just not realizing that they can't change the document and let Windows do the rest).

    Basicly WebDav handles the PROPFIND and PUT protocol methods to allow people to upload, browse and modify documents using a WebDav client. Having WebDav enabled on the server can be a risk (and a severe pain in the **** when trying to admin a FrontPage server), but if you don't have it enabled it poses no risk to you at all.

    If you want to automaticly deny the PROPFIND and PUT methods just to feel a lilttle safer, you can use the following in your apache configuration:
    Code:
    <Limit GET POST HEAD>
   Order allow,deny
   Allow from all
</Limit>

<LimitExcept GET POST HEAD>
   Order deny,allow
   Deny from all
</Limit>
    Regards,
    - Harry
    Best MongoDB monitoring system, free for small sites
    Listen to Live DJs spinning the best UK underground sound

« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules