Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Logging strange events on local webserver. 1

Status
Not open for further replies.
petrosky

petrosky

Technical User
Aug 1, 2001
512
AU
Hi guys/gals,

I have a very basic intranet website for internal reporting.

Recently I built in some user tracking on the site that logs areas different users visit.

In the logs I notice "hits" coming from another machine on the LAN that should not be using this resource at all.

The apache logs indicate the following events.

Code: 
192.168.1.151 - - [15/Feb/2011:10:03:49 +1100] "OPTIONS / HTTP/1.1" 200 3237
192.168.1.151 - - [15/Feb/2011:10:03:50 +1100] "PROPFIND /pricelists HTTP/1.1" 405 1043
192.168.1.151 - - [15/Feb/2011:10:03:50 +1100] "PROPFIND /pricelists HTTP/1.1" 405 1043
192.168.1.151 - - [15/Feb/2011:10:03:50 +1100] "PROPFIND /pricelists HTTP/1.1" 405 1043
192.168.1.151 - - [15/Feb/2011:10:03:50 +1100] "PROPFIND /pricelists HTTP/1.1" 405 1043

I have run full a/v scans and trojan scans on the machine in question with nothing found.

Does anyone have any other idea what might be causing the machine to try to hit up this server?

Remember- It's nice to be important,
but it's important to be nice :)
 
Sort by date Sort by votes
This looks like a crawler bot and is normal traffic, unfortunately, The best thing to do is focus on making sure your system is secure and up to date as unfortunately you can't stop this kind of thing in its entirety.

Based upon what you have posted, I would hazzard a guess that it is Microsoft's webdav-miniredir. See this link:
Our server at work was getting hit with this pernicious little pest and it would rack up hundreds of hits trying to find a way to get a shell prompt via some IIS vulnerabilities. It turns out that it doesn't accept 403 or 405 error codes. The trick with it is to give it a 404 error code, after which it will go away, at least for that round.
 
Upvote 0 Downvote
Hi NoWay2,

Thanks a lot. I implemented this code into my header files for the site and now apache just logs the 404 and my site log remains clean.

Code: 
switch($_SERVER['REQUEST_METHOD']) {
case 'GET':
case 'POST':
break;
default:
// All other WebDAV methods, such as PROPFIND, OPTIONS, HEAD
header('HTTP/1.1 404 Not Found');
exit();
}



Remember- It's nice to be important,
but it's important to be nice :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
323
Sameer258
Sameer258
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
100
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
111
mcisar
mcisar
cbsarge
  • Locked
  • Question
SonicWALL Mobile Connect on Chromebooks
Replies
1
Views
133
jcarmichael1203
jcarmichael1203
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
102
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top