NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2001-11

From: Mark Rowlands (mark.rowlandsminmail.net)
Date: Fri Nov 02 2001 - 15:37:36 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I received this little lot inside 30 seconds.....any one care to hit me with
a clue stick.....fwiw the client says ie 6.0b nt 5.1.....and downloaded a
couple of files quite acceptably and then ran riot with this lot :- some
extracts from the apache log are included. (apache 2.0 without mod_dav!)

my real question is.....is the some sort of attempt to gain privilege or
info or is it just normally obnoxious behaviour from IE6?

WEB-IIS _vti_inf access 2001-11-0207:58:27 4.3.2.1:51659 1.2.3.4:80 TCP
WEB-IIS _vti_inf access 2001-11-0207:58:27 4.3.2.1:51659 1.2.3.4:80 TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-0207:58:27 4.3.2.1:51660
1.2.3.4:80 TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-0207:58:27 4.3.2.1:51660
1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38
4.3.2.1:51661 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38
4.3.2.1:51661 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38
4.3.2.1:51661 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38
4.3.2.1:51661 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38
4.3.2.1:51661 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38
4.3.2.1:51661 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38
4.3.2.1:51661 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38
4.3.2.1:51661 1.2.3.4:80 TCP
  WEB-IIS _vti_inf access 2001-11-0207:58:42 4.3.2.1:51660 1.2.3.4:80 TCP
  WEB-IIS _vti_inf access 2001-11-0207:58:42 4.3.2.1:51660 1.2.3.4:80 TCP

[bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-02 07:58:42 4.3.2.1:51663
1.2.3.4:80 TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-02 07:58:42 4.3.2.1:51663
1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:52
4.3.2.1:51661 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:52
4.3.2.1:51661 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:52
4.3.2.1:51661 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:52
4.3.2.1:51661 1.2.3.4:80 TCP
  WEB-IIS _vti_inf access 2001-11-0207:58:59 4.3.2.1:51665 1.2.3.4:80 TCP
  WEB-IIS _vti_inf access 2001-11-0207:58:59 4.3.2.1:51665 1.2.3.4:80 TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-0207:58:59 4.3.2.1:51666
1.2.3.4:80 TCP
  [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-0207:58:59 4.3.2.1:51666
1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:59:09
4.3.2.1:51667 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:59:09
4.3.2.1:51667 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:59:09
4.3.2.1:51667 1.2.3.4:80 TCP
  [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:59:09
4.3.2.1:51667 1.2.3.4:80 TCP

APACHE LOGS

"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"GET /web2/incoming/QB/Identifying%20_client_requirements.doc HTTP/1.1" 200
47104 "http://1.2.3.4/web2/incoming/QB/" "Mozilla/4.0 (compatible; MSIE 6.0b;
Windows NT 5.1)"
"OPTIONS /web2/incoming/QB HTTP/1.1" 200 0 "-" "Microsoft Data Access
Internet Publishing Provider Cache Manager"
"GET /_vti_inf.html HTTP/1.1" 404 274 "-" "Mozilla/2.0 (compatible; MS
FrontPage 4.0)"
"POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 404 288 "-" "MSFrontPage/4.0"
"OPTIONS /web2/incoming/QB/Identifying%20_client_requirements.doc HTTP/1.1"
200 0 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"GET /web2/incoming/QB/Print%20Servers.doc HTTP/1.1" 200 31744
"http://1.2.3.4/web2/incoming/QB/" "Mozilla/4.0 (compatible; MSIE 6.0b;
Windows NT 5.1)"
"OPTIONS /web2/incoming/QB HTTP/1.1" 200 0 "-" "Microsoft Data Access
Internet Publishing Provider Cache Manager"
"GET /_vti_inf.html HTTP/1.1" 404 274 "-" "Mozilla/2.0 (compatible; MS
FrontPage 4.0)"
"POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 404 288 "-" "MSFrontPage/4.0"
"OPTIONS /web2/incoming/QB/Print%20Servers.doc HTTP/1.1" 200 0 "-" "Microsoft
Data Access Internet Publishing Provider DAV 1.1"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"
"PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505"

-- You're not my type. For that matter, you're not even my species!!!

_______________________________________________ Snort-users mailing list Snort-userslists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]