[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] Strange HTTP PUT requests

Subject: [Ossec-list] Strange HTTP PUT requests
From: oahmet at metu.edu.tr (ahmet ozturk)
Date: Thu, 01 Jun 2006 11:23:00 +0300

Hi all,

I searched ""Microsoft Data Access Internet Publishing Provider"
pattern in one of my web server's logs and saw that,
there are lots of these kind of requests sent since December 2005.
In addition to these PUT requests, I have also OPTIONS requests.

81.213.201.188 - - [20/Jan/2006:23:15:45 +0200] "OPTIONS
/ HTTP/1.1" 200 2790 "-" "Microsoft Data Access Internet
Publishing Provider Protocol Discovery"
81.215.133.193 - - [21/Feb/2006:14:47:09 +0200] "OPTIONS
/known_file.doc HTTP/1.1" 200 - "-" "Microsoft Data Access Internet
Publishing Provider Protocol Discovery"
194.27.57.205 - - [14/Mar/2006:15:04:01 +0200] "OPTIONS
/ HTTP/1.1" 200 3004 "-" "Microsoft Data Access Internet
Publishing Provider Protocol Discovery"

I found a really old document mentions about vulnerable Microsoft NT/2000/IIS servers.
http://www.computerweekly.com/Article121230.htm
http://www.html4.com/mime/markup/php/how_to_en/how_to_system_en/how_to_system_4.php

Regards,

Ahmet Ozturk

Daniel Cid wrote:
> Since yesterday I'm seeing some strange HTTP PUT
> requests. It says it comes from "Microsoft Data Access
> Internet Publishing Provider", so initially I tought
> it were from someone with a misconfigured client or
> something like that. However, now I'm seeing it from
> multiple IPs. Is there any known vulnerability in any
> server handling these requests? Have anyone seeing
> this
> kind of attempt too?
> 
> Sorry If i'm missing something obvious in here.
> 
> *first time I see these type of requests on my logs.
> 
> Portion of the logs:
> 
> 
> 69.9.175.242 - - [31/May/2006:15:53:44 -0300] "PUT
> /default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 69.9.175.242 - - [31/May/2006:15:53:44 -0300] "PUT
> /default.asp HTTP/1.0" 405 321 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 69.9.175.242 - - [31/May/2006:15:53:43 -0300] "PUT
> /index.asp HTTP/1.0" 405 319 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 69.9.175.242 - - [31/May/2006:15:53:43 -0300] "PUT
> /index.htm HTTP/1.0" 405 319 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 69.9.175.242 - - [31/May/2006:15:53:35 -0300] "PUT
> /default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 69.9.175.242 - - [31/May/2006:15:53:35 -0300] "PUT
> /default.asp HTTP/1.0" 405 321 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 64.214.127.143 - - [31/May/2006:18:00:16 -0300] "PUT
> /default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 64.214.127.143 - - [31/May/2006:18:00:16 -0300] "PUT
> /default.asp HTTP/1.0" 405 321 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 64.214.127.143 - - [31/May/2006:18:00:16 -0300] "PUT
> /index.asp HTTP/1.0" 405 319 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 64.214.127.143 - - [31/May/2006:18:00:16 -0300] "PUT
> /index.htm HTTP/1.0" 405 319 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 64.214.127.143 - - [31/May/2006:18:00:03 -0300] "PUT
> /default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:21:39:54 -0300] "PUT
> /index.asp HTTP/1.0" 405 319 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:21:39:53 -0300] "PUT
> /index.asp HTTP/1.0" 405 319 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:21:39:53 -0300] "PUT
> /index.htm HTTP/1.0" 405 319 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:21:39:53 -0300] "PUT
> /index.htm HTTP/1.0" 405 319 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:21:39:49 -0300] "PUT
> /default.htm HTTP/1.0" 405 320 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:21:39:49 -0300] "PUT
> /default.htm HTTP/1.0" 405 320 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:21:39:49 -0300] "PUT
> /default.asp HTTP/1.0" 405 320 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:22:41:52 -0300] "PUT
> /default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:22:41:52 -0300] "PUT
> /default.asp HTTP/1.0" 405 321 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:22:41:52 -0300] "PUT
> /index.asp HTTP/1.0" 405 319 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:22:41:52 -0300] "PUT
> /index.htm HTTP/1.0" 405 319 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 67.18.222.66 - - [31/May/2006:22:41:42 -0300] "PUT
> /default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
> Access Internet Publishing Provider DAV 1.1"
> 
> 
> Thanks,
> 
> --
> Daniel B. Cid
> dcid @ ( at ) ossec.net
> 
> __________________________________________________
> Fale com seus amigos  de gra?a com o novo Yahoo! Messenger 
> http://br.messenger.yahoo.com/ 
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list

Follow-Ups:
- [Ossec-list] Strange HTTP PUT requests
  - From: Amedeo Salvati

Next by Date: [Ossec-list] Strange HTTP PUT requests
Next by thread: [Ossec-list] Strange HTTP PUT requests
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.