What's this in my apache log? ( "PROPFIND /C%24 HTTP/1.

Message

VanDan · Post by **VanDan** » Mon Oct 04, 2004 9:47 am

I'm getting this in my apache access log:

203.122.81.18 - - [04/Oct/2004:18:41:32 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:41:33 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:42:35 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:42:37 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:43:57 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:43:57 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:45:07 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:45:08 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:45:17 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:46:20 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:46:21 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:47:54 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
203.122.81.18 - - [04/Oct/2004:18:47:54 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

Does anyone know what it is?

2 hits per minute, every minute, seems a bit rude...
Should I just firewall them or what?

hds · Post by **hds** » Mon Oct 04, 2004 9:57 am

http://forums.devshed.com/archive/t-166086

btw.. just more fun then blocking, is simply re-dericting the request to microsoft.com
and make sure you choose a huge file, like ie6full or similar

tuxmin · Post by **tuxmin** » Mon Oct 04, 2004 10:05 am

Somone tries to connect to your apache via DAV. This is an extension to http that allow bidirectional transfer of files. If do not have DAV activated in your apache there is nothing to concern about that.

VanDan · Post by **VanDan** » Mon Oct 04, 2004 10:11 am

hds wrote:http://forums.devshed.com/archive/t-166086

btw.. just more fun then blocking, is simply re-dericting the request to microsoft.com
and make sure you choose a huge file, like ie6full or similar

Interesting.

So I'd do something like make an 'OPTIONS' folder, and in the index.html file, re-direct to the IE6 download, eh?

I'm no apache / html genius ... I assume you could do the same thing in the apache config file too, but I had a brief look at it, and it looks like it's more trouble than it's worth.

hds · Post by **hds** » Mon Oct 04, 2004 11:20 am

VanDan wrote:and it looks like it's more trouble than it's worth.

yeah right, i was just kidding a little, because IMHO microsoft deserves a little bandwith-abuse for all of this pun

if you actually need your webserver running to the public, there is no way to get rid of those requests. but if someone else already pointed out correctly - they dont harm your apache anyway. its just annoying (IMHO) if you brose the logs to see whats up. and it is anoying if you are (like me) low on bandwith because all those requests might tie your network down a bit.

or are those requests always from the same IP? checking out the IP i see they belong to an adress range from an ISP. so if you get this from the very same IP for more then 24H you could inform that admin. but my guess is, its just a poor windows user who fetched a worm.

for your record:

Code: Select all

router:~ # nmap -v 203.122.81.18

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).
Host  (203.122.81.18) appears to be up ... good.
Initiating Connect() Scan against  (203.122.81.18)
Adding TCP port 1025 (state open).
Adding TCP port 445 (state open).
Adding TCP port 3389 (state open).
Adding TCP port 135 (state open).
Adding TCP port 5000 (state open).
The Connect() Scan took 46 seconds to scan 1542 ports.
Interesting ports on  (203.122.81.18):
(The 1537 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv
445/tcp    open        microsoft-ds
1025/tcp   open        listen
3389/tcp   open        msrdp
5000/tcp   open        fics