mikeheitz
01-02-2003, 10:18 AM
Hey gang, Happy New Year!
Got a question... I've posed this on a couple forums, but not here yet.
I've run across a couple log entries on my OWA server. I'm pretty new to security (about a decade as a network admin, now taking on more and more
responsibility) and have Googled the Propfind command... only a handful of results (including a MS Whitepaper I am currently reading).
Does anyone know what this is exactly? We do not have Instant Messaging enabled on the server... my main concern is that the Username that was listed was my own!!! I've used Visual Route to trace the IP addresses back with marginal success (one got lost after a bunch of hops and the other ended up in Pittsburgh, PA).
Any ideas or info would be greatly appreciated. Thanks!
2002-12-19 17:35:28 65.119.193.141 - 192.168.43.17 80 PROPFIND /instmsg/aliases/<username> - 404 -
then a short time later
2002-12-19 20:54:13 141.189.251.1 - 192.168.43.17 80 PROPFIND /instmsg/aliases/<username> - 404 -
Since the original 2 attacks listed here, there have been a few more attempts. Nothing major since they aren't getting anywhere with it, but it's a little disconcerting nonetheless. In the 2+ weeks since the first tiem I saw this, I have really found ZERO information about what exactly this is. I know what the PROPFIND statement is, but unless it's coming directly from me (since it's my username) this is an obvious attempt by someone to get into our server. I haven't found any info on exploits they might be targeting...
OK, enough rambling... ANY help or ideas would be appreciated.
Thanks
Got a question... I've posed this on a couple forums, but not here yet.
I've run across a couple log entries on my OWA server. I'm pretty new to security (about a decade as a network admin, now taking on more and more
responsibility) and have Googled the Propfind command... only a handful of results (including a MS Whitepaper I am currently reading).
Does anyone know what this is exactly? We do not have Instant Messaging enabled on the server... my main concern is that the Username that was listed was my own!!! I've used Visual Route to trace the IP addresses back with marginal success (one got lost after a bunch of hops and the other ended up in Pittsburgh, PA).
Any ideas or info would be greatly appreciated. Thanks!
2002-12-19 17:35:28 65.119.193.141 - 192.168.43.17 80 PROPFIND /instmsg/aliases/<username> - 404 -
then a short time later
2002-12-19 20:54:13 141.189.251.1 - 192.168.43.17 80 PROPFIND /instmsg/aliases/<username> - 404 -
Since the original 2 attacks listed here, there have been a few more attempts. Nothing major since they aren't getting anywhere with it, but it's a little disconcerting nonetheless. In the 2+ weeks since the first tiem I saw this, I have really found ZERO information about what exactly this is. I know what the PROPFIND statement is, but unless it's coming directly from me (since it's my username) this is an obvious attempt by someone to get into our server. I haven't found any info on exploits they might be targeting...
OK, enough rambling... ANY help or ideas would be appreciated.
Thanks