[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] Strange HTTP PUT requests

Subject: [Ossec-list] Strange HTTP PUT requests
From: amedeo.salvati at selesta.it (Amedeo Salvati)
Date: Thu, 01 Jun 2006 10:50:23 +0200

Hi all,

on attachment you can find the log of my customer who use Ms Proxy ISA, 
i have substitute all IP with W.X.Y.Z when it is on the "start of line" 
and Z.Y.X.W when it is on the rest of log.

amedeo

ahmet ozturk wrote:

>Hi all,
>
>I searched ""Microsoft Data Access Internet Publishing Provider"
>pattern in one of my web server's logs and saw that,
>there are lots of these kind of requests sent since December 2005.
>In addition to these PUT requests, I have also OPTIONS requests.
>
>81.213.201.188 - - [20/Jan/2006:23:15:45 +0200] "OPTIONS
>/ HTTP/1.1" 200 2790 "-" "Microsoft Data Access Internet
>Publishing Provider Protocol Discovery"
>81.215.133.193 - - [21/Feb/2006:14:47:09 +0200] "OPTIONS
>/known_file.doc HTTP/1.1" 200 - "-" "Microsoft Data Access Internet
>Publishing Provider Protocol Discovery"
>194.27.57.205 - - [14/Mar/2006:15:04:01 +0200] "OPTIONS
>/ HTTP/1.1" 200 3004 "-" "Microsoft Data Access Internet
>Publishing Provider Protocol Discovery"
>
>I found a really old document mentions about vulnerable Microsoft NT/2000/IIS servers.
>http://www.computerweekly.com/Article121230.htm
>http://www.html4.com/mime/markup/php/how_to_en/how_to_system_en/how_to_system_4.php
>
>Regards,
>
>Ahmet Ozturk
>
>Daniel Cid wrote:
>  
>
>>Since yesterday I'm seeing some strange HTTP PUT
>>requests. It says it comes from "Microsoft Data Access
>>Internet Publishing Provider", so initially I tought
>>it were from someone with a misconfigured client or
>>something like that. However, now I'm seeing it from
>>multiple IPs. Is there any known vulnerability in any
>>server handling these requests? Have anyone seeing
>>this
>>kind of attempt too?
>>
>>Sorry If i'm missing something obvious in here.
>>
>>*first time I see these type of requests on my logs.
>>
>>Portion of the logs:
>>
>>
>>69.9.175.242 - - [31/May/2006:15:53:44 -0300] "PUT
>>/default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>69.9.175.242 - - [31/May/2006:15:53:44 -0300] "PUT
>>/default.asp HTTP/1.0" 405 321 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>69.9.175.242 - - [31/May/2006:15:53:43 -0300] "PUT
>>/index.asp HTTP/1.0" 405 319 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>69.9.175.242 - - [31/May/2006:15:53:43 -0300] "PUT
>>/index.htm HTTP/1.0" 405 319 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>69.9.175.242 - - [31/May/2006:15:53:35 -0300] "PUT
>>/default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>69.9.175.242 - - [31/May/2006:15:53:35 -0300] "PUT
>>/default.asp HTTP/1.0" 405 321 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>64.214.127.143 - - [31/May/2006:18:00:16 -0300] "PUT
>>/default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>64.214.127.143 - - [31/May/2006:18:00:16 -0300] "PUT
>>/default.asp HTTP/1.0" 405 321 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>64.214.127.143 - - [31/May/2006:18:00:16 -0300] "PUT
>>/index.asp HTTP/1.0" 405 319 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>64.214.127.143 - - [31/May/2006:18:00:16 -0300] "PUT
>>/index.htm HTTP/1.0" 405 319 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>64.214.127.143 - - [31/May/2006:18:00:03 -0300] "PUT
>>/default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:21:39:54 -0300] "PUT
>>/index.asp HTTP/1.0" 405 319 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:21:39:53 -0300] "PUT
>>/index.asp HTTP/1.0" 405 319 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:21:39:53 -0300] "PUT
>>/index.htm HTTP/1.0" 405 319 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:21:39:53 -0300] "PUT
>>/index.htm HTTP/1.0" 405 319 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:21:39:49 -0300] "PUT
>>/default.htm HTTP/1.0" 405 320 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:21:39:49 -0300] "PUT
>>/default.htm HTTP/1.0" 405 320 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:21:39:49 -0300] "PUT
>>/default.asp HTTP/1.0" 405 320 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:22:41:52 -0300] "PUT
>>/default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:22:41:52 -0300] "PUT
>>/default.asp HTTP/1.0" 405 321 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:22:41:52 -0300] "PUT
>>/index.asp HTTP/1.0" 405 319 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:22:41:52 -0300] "PUT
>>/index.htm HTTP/1.0" 405 319 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>67.18.222.66 - - [31/May/2006:22:41:42 -0300] "PUT
>>/default.htm HTTP/1.0" 405 321 "-" "Microsoft Data
>>Access Internet Publishing Provider DAV 1.1"
>>
>>
>>Thanks,
>>
>>--
>>Daniel B. Cid
>>dcid @ ( at ) ossec.net
>>
>>__________________________________________________
>>Fale com seus amigos  de gra?a com o novo Yahoo! Messenger 
>>http://br.messenger.yahoo.com/ 
>>_______________________________________________
>>ossec-list mailing list
>>ossec-list at ossec.net
>>http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>>    
>>
>_______________________________________________
>ossec-list mailing list
>ossec-list at ossec.net
>http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.underlinux.com.br/pipermail/ossec-list/attachments/20060601/0bb82368/attachment-0001.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ms_data_access.log
Url: http://mailman.underlinux.com.br/pipermail/ossec-list/attachments/20060601/0bb82368/attachment-0001.ksh

References:
- [Ossec-list] Strange HTTP PUT requests
  - From: ahmet ozturk

Prev by Date: [Ossec-list] Strange HTTP PUT requests
Next by Date: [Ossec-list] The part of ossec were aborted
Previous by thread: [Ossec-list] Strange HTTP PUT requests
Next by thread: [Ossec-list] The part of ossec were aborted
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.