Free Weekly Tech Newsletter

mikeheitz · 01-02-2003, 10:18 AM

Hey gang, Happy New Year!

Got a question... I've posed this on a couple forums, but not here yet.

I've run across a couple log entries on my OWA server. I'm pretty new to security (about a decade as a network admin, now taking on more and more
responsibility) and have Googled the Propfind command... only a handful of results (including a MS Whitepaper I am currently reading).

Does anyone know what this is exactly? We do not have Instant Messaging enabled on the server... my main concern is that the Username that was listed was my own!!! I've used Visual Route to trace the IP addresses back with marginal success (one got lost after a bunch of hops and the other ended up in Pittsburgh, PA).

Any ideas or info would be greatly appreciated. Thanks!

2002-12-19 17:35:28 65.119.193.141 - 192.168.43.17 80 PROPFIND /instmsg/aliases/ - 404 -

then a short time later

2002-12-19 20:54:13 141.189.251.1 - 192.168.43.17 80 PROPFIND /instmsg/aliases/ - 404 -

Since the original 2 attacks listed here, there have been a few more attempts. Nothing major since they aren't getting anywhere with it, but it's a little disconcerting nonetheless. In the 2+ weeks since the first tiem I saw this, I have really found ZERO information about what exactly this is. I know what the PROPFIND statement is, but unless it's coming directly from me (since it's my username) this is an obvious attempt by someone to get into our server. I haven't found any info on exploits they might be targeting...

OK, enough rambling... ANY help or ideas would be appreciated.

Thanks

reboot · 01-02-2003, 11:40 AM

Here's a bunch of stuff on the first one: http://openrbl.org/ip/65/119/193/141.htm
Appears it comes from 24/7 media, an ad company

mikeheitz · 01-02-2003, 11:48 AM

Thanks Jim... I've actually used Visual Route to figure out where they are coming from. I just have no idea why these things suddenly started popping up.

On guy I spoke with mentioned that maybe I sent someone an email and they are basically trying to find out if I have an instant messaging ID in the same domain. But I'm not sure about that since I've never emailed anyone at any of these domains, and the fact that the same IP addresses keep trying it.

01-02-2003, 10:18 AM	#1
mikeheitz Member (8 bit) Join Date: Apr 2002 Location: Chicago Posts: 156	Any Web security experts around? Hey gang, Happy New Year! Got a question... I've posed this on a couple forums, but not here yet. I've run across a couple log entries on my OWA server. I'm pretty new to security (about a decade as a network admin, now taking on more and more responsibility) and have Googled the Propfind command... only a handful of results (including a MS Whitepaper I am currently reading). Does anyone know what this is exactly? We do not have Instant Messaging enabled on the server... my main concern is that the Username that was listed was my own!!! I've used Visual Route to trace the IP addresses back with marginal success (one got lost after a bunch of hops and the other ended up in Pittsburgh, PA). Any ideas or info would be greatly appreciated. Thanks! 2002-12-19 17:35:28 65.119.193.141 - 192.168.43.17 80 PROPFIND /instmsg/aliases/ - 404 - then a short time later 2002-12-19 20:54:13 141.189.251.1 - 192.168.43.17 80 PROPFIND /instmsg/aliases/ - 404 - Since the original 2 attacks listed here, there have been a few more attempts. Nothing major since they aren't getting anywhere with it, but it's a little disconcerting nonetheless. In the 2+ weeks since the first tiem I saw this, I have really found ZERO information about what exactly this is. I know what the PROPFIND statement is, but unless it's coming directly from me (since it's my username) this is an obvious attempt by someone to get into our server. I haven't found any info on exploits they might be targeting... OK, enough rambling... ANY help or ideas would be appreciated. Thanks Share Share this post on Digg Del.icio.us Technorati Twitter

01-02-2003, 11:40 AM	#2
reboot Member (14 bit) Join Date: Mar 1999 Location: Kelowna, B.C., Canada Posts: 9,138	Here's a bunch of stuff on the first one: http://openrbl.org/ip/65/119/193/141.htm Appears it comes from 24/7 media, an ad company Share Share this post on Digg Del.icio.us Technorati Twitter __________________ Black holes are where God divided by zero... Cheers, Jim Jims Modems

01-02-2003, 11:48 AM	#3
mikeheitz Member (8 bit) Join Date: Apr 2002 Location: Chicago Posts: 156	Thanks Jim... I've actually used Visual Route to figure out where they are coming from. I just have no idea why these things suddenly started popping up. On guy I spoke with mentioned that maybe I sent someone an email and they are basically trying to find out if I have an instant messaging ID in the same domain. But I'm not sure about that since I've never emailed anyone at any of these domains, and the fact that the same IP addresses keep trying it. Share Share this post on Digg Del.icio.us Technorati Twitter

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Need Some Help? Type Your Keywords Here:

Still Need Help? Type Your Keywords Here:

Free Weekly Tech Newsletter

Subscribe to THE INSIDER

Need Some Help? Type Your Keywords Here:

Still Need Help? Type Your Keywords Here:

Free Weekly Tech Newsletter