Home All Groups Group Topic Archive Search About

IIS logs show domain laptop logging into WEBDAV

microsoft.public.inetserver.iis.security
Author
30 Jun 2006 12:18 PM
FD
Hi,

I have a curious problem that I hope someone can shed some light on.  The
log below shows a domain laptop logging in to our webserver's webdav. This
incident occurs after business hours. The bad news is it is my laptop's IP
address. (I leave my laptop on to run the virus scanner, etc.). Our
webserver is on the optional side of the firewall and I am not mapped to the
webserver in any way.  I originally set the WEBDAV program up via RDP on my
laptop. I have run virus scanners, adware checkers, etc. but I just can not
figure out why my laptop's IP shows up in the IIS logs.  It doesn't seem to
be causing a problem but it has me perplexed.

Any help would be greatly appreciated



(I purposefully changed the IP's in log to protect the guilty (me).



Thanks,

FD





#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port
cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2006-06-30 09:15:05 X.X.X.135 OPTIONS / - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 200 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.bat - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.cmd - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.exe - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.com - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.pif - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.lnk - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.bat - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.cmd - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.exe - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.com - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.pif - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.lnk - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
#Software: Microsoft Internet Information Services 6.0

Author
1 Jul 2006 10:02 PM
David Wang [Msft]
Maybe you have a WebDAV link in your "My Network Places" special folder
(available from the Start Menu) to your webserver that the virus scanner
unknowningly traverses during scanning.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

Show quoteHide quote
"FD" <fd@nospam.net> wrote in message
news:%23lv6%238DnGHA.4572@TK2MSFTNGP05.phx.gbl...
>
>
> Hi,
>
> I have a curious problem that I hope someone can shed some light on.  The
> log below shows a domain laptop logging in to our webserver's webdav. This
> incident occurs after business hours. The bad news is it is my laptop's IP
> address. (I leave my laptop on to run the virus scanner, etc.). Our
> webserver is on the optional side of the firewall and I am not mapped to
> the webserver in any way.  I originally set the WEBDAV program up via RDP
> on my laptop. I have run virus scanners, adware checkers, etc. but I just
> can not figure out why my laptop's IP shows up in the IIS logs.  It
> doesn't seem to be causing a problem but it has me perplexed.
>
> Any help would be greatly appreciated
>
>
>
> (I purposefully changed the IP's in log to protect the guilty (me).
>
>
>
> Thanks,
>
> FD
>
>
>
>
>
> #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port
> cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
> 2006-06-30 09:15:05 X.X.X.135 OPTIONS / - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 200 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.bat - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.cmd - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.exe - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.com - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.pif - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.lnk - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.bat - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.cmd - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.exe - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.com - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.pif - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV.lnk - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 0
> 2006-06-30 09:15:05 X.X.X.135 PROPFIND /WEBDAV - 80 - 192.168.1.150
> Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
> #Software: Microsoft Internet Information Services 6.0
>
>
>
>
>
>



Post Other interesting topics
Is there a way to avoid/security alert box from redirecting to HTTP to HTTPS?
Can Somone Tell Me If We Have a Hacker?
login problem with iis and webdav.
A little help (kerberos, netbios, and SPN... oh my!)
The IIS service does not seem to be serving up .asmx or .asp pages
Can i make personal ssl cert from verisign's one?
Filtering Query String
IIS6 HTTPS POST not being returned to .ASP file...
IIS5: Renew certificate
monitor access to docs on IIS