Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Logging strange events on local webserver. 1

Status
Not open for further replies.

petrosky

Technical User
Aug 1, 2001
512
AU
Hi guys/gals,

I have a very basic intranet website for internal reporting.

Recently I built in some user tracking on the site that logs areas different users visit.

In the logs I notice "hits" coming from another machine on the LAN that should not be using this resource at all.

The apache logs indicate the following events.

Code:
192.168.1.151 - - [15/Feb/2011:10:03:49 +1100] "OPTIONS / HTTP/1.1" 200 3237
192.168.1.151 - - [15/Feb/2011:10:03:50 +1100] "PROPFIND /pricelists HTTP/1.1" 405 1043
192.168.1.151 - - [15/Feb/2011:10:03:50 +1100] "PROPFIND /pricelists HTTP/1.1" 405 1043
192.168.1.151 - - [15/Feb/2011:10:03:50 +1100] "PROPFIND /pricelists HTTP/1.1" 405 1043
192.168.1.151 - - [15/Feb/2011:10:03:50 +1100] "PROPFIND /pricelists HTTP/1.1" 405 1043

I have run full a/v scans and trojan scans on the machine in question with nothing found.

Does anyone have any other idea what might be causing the machine to try to hit up this server?

Remember- It's nice to be important,
but it's important to be nice :)
 
This looks like a crawler bot and is normal traffic, unfortunately, The best thing to do is focus on making sure your system is secure and up to date as unfortunately you can't stop this kind of thing in its entirety.

Based upon what you have posted, I would hazzard a guess that it is Microsoft's webdav-miniredir. See this link:
Our server at work was getting hit with this pernicious little pest and it would rack up hundreds of hits trying to find a way to get a shell prompt via some IIS vulnerabilities. It turns out that it doesn't accept 403 or 405 error codes. The trick with it is to give it a 404 error code, after which it will go away, at least for that round.
 
Hi NoWay2,

Thanks a lot. I implemented this code into my header files for the site and now apache just logs the 404 and my site log remains clean.

Code:
switch($_SERVER['REQUEST_METHOD']) {
case 'GET':
case 'POST':
break;
default:
// All other WebDAV methods, such as PROPFIND, OPTIONS, HEAD
header('HTTP/1.1 404 Not Found');
exit();
}



Remember- It's nice to be important,
but it's important to be nice :)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top