|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Microsoft-WebDAV-MiniRedir/6.0.6001IIS Server behind a router is being hit internal machines which are alse
behind a router. the hit/request is "E", "C" as the csUriStem in the IIS Logs.... looks like going after the drive/share name on the web server. Searched for Microsoft-WebDav-MiniRedir spyware/malware issue. There is plenty of reporting out there but not a single good Reply to the postings. I ran Microsoft OneCare utility and the misbehaving client machine....it did not help (actually, it did find 2, but did not remove them) Any help on this Microsoft-WebDav-MiniRedir (client agent) garbage? On 04/16/09 12:27, Travis McGee wrote:
> IIS Server behind a router is being hit internal machines which are It looks like "Microsoft-WebDav-MiniRedir" is the User Agent string that > also behind a router. .... > Any help on this Microsoft-WebDav-MiniRedir (client agent) garbage? is used by the Web Folder (WebClient) director by Windows. Windows XP has a version string of 5.<something>, so seeing as how your version string is 6.<something> I'm guessing that the client in question is a Vista (?) system that is trying to access contents on the server via WebDAV / Web Folder / WebClient rather than standard SMB / CIFS shares. Check to make sure that your client is to a UNC rather than to a URL. Grant. . . . I kind of know the Agent / Vista / MiniRedir part and what it means.
The issue is the Virus. The reason why I posted here, is that when you search for this malware with key words, the closest complaints came from IIS Admins observing high quantity of hits in their logs coming from their internal IP addresses hitting the web servers with the name of the Hard Drive where the IIS is installed on: ie. http://10.0.0.50/c (that has an external internet IP address:80 being routed to 10.0.0.50) ..... thousands of hits coming from the infected internal IP address (ie. a vista machine). Unfortunately, could not find good solution in the Security Forums. IIS people are the ones who are reporting this; but not good explanation about what kind of spyware/malware this thing is. The reason why my machines get infected is ... running scanning scripts with IE collecting info from an IP range ...ie. hitting web sites http://245.45.16.1 - http://246.45.16.254 trying to find out which company a certain IP address (ie. 245.45.16.9) belongs to. Show quoteHide quote "Grant Taylor" <gtay***@riverviewtech.net> wrote in message news:gs839j$2fj2$1@tranq7.tranquility.net... > On 04/16/09 12:27, Travis McGee wrote: >> IIS Server behind a router is being hit internal machines which are also >> behind a router. > ... >> Any help on this Microsoft-WebDav-MiniRedir (client agent) garbage? > > It looks like "Microsoft-WebDav-MiniRedir" is the User Agent string that > is used by the Web Folder (WebClient) director by Windows. Windows XP has > a version string of 5.<something>, so seeing as how your version string is > 6.<something> I'm guessing that the client in question is a Vista (?) > system that is trying to access contents on the server via WebDAV / Web > Folder / WebClient rather than standard SMB / CIFS shares. Check to make > sure that your client is to a UNC rather than to a URL. > > > > Grant. . . . Travis:
We started seeing a huge spike in our traffic April 1 (Conficker? Coincidence?). I guess URLScan or this http://support.microsoft.com/default.aspx?scid=kb;en-us;241520&sd=tech will disable propfind. Anyway, I too am interested in what malware does this, so hopefully someone will post the name when they find it. Show quoteHide quote "Travis McGee" wrote: > I kind of know the Agent / Vista / MiniRedir part and what it means. > > The issue is the Virus. The reason why I posted here, is that when you > search for this malware with key words, the closest complaints came from IIS > Admins observing high quantity of hits in their logs coming from their > internal IP addresses hitting the web servers with the name of the Hard > Drive where the IIS is installed on: ie. http://10.0.0.50/c (that has an > external internet IP address:80 being routed to 10.0.0.50) ..... thousands > of hits coming from the infected internal IP address (ie. a vista machine). > > Unfortunately, could not find good solution in the Security Forums. IIS > people are the ones who are reporting this; but not good explanation about > what kind of spyware/malware this thing is. > The reason why my machines get infected is ... running scanning scripts with > IE collecting info from an IP range ...ie. hitting web sites > http://245.45.16.1 - http://246.45.16.254 trying to find out which company a > certain IP address (ie. 245.45.16.9) belongs to. > > "Grant Taylor" <gtay***@riverviewtech.net> wrote in message > news:gs839j$2fj2$1@tranq7.tranquility.net... > > On 04/16/09 12:27, Travis McGee wrote: > >> IIS Server behind a router is being hit internal machines which are also > >> behind a router. > > ... > >> Any help on this Microsoft-WebDav-MiniRedir (client agent) garbage? > > > > It looks like "Microsoft-WebDav-MiniRedir" is the User Agent string that > > is used by the Web Folder (WebClient) director by Windows. Windows XP has > > a version string of 5.<something>, so seeing as how your version string is > > 6.<something> I'm guessing that the client in question is a Vista (?) > > system that is trying to access contents on the server via WebDAV / Web > > Folder / WebClient rather than standard SMB / CIFS shares. Check to make > > sure that your client is to a UNC rather than to a URL. > > > > > > > > Grant. . . . > > We managed to get hold of one of the PCs that was deluging us with this
traffic, a new Vista Home 64bit system, which had McAfee Dell install. The McAfee Virus Scan engine had been turned off, but McAfee in other respects didn't appear to be damaged. This error showed up in the Windows Application Event log: MCLogEvent Event ID 5022 MCSCAN32 Engine Initialization Failed Engine Returned error: 7 We then installed a new, updated copy of SymEndpoint Protection, ran full scan, it found nothing. Then ran malwarebytes on it, it found only a "Hijack.DisplayProperties" Other than that, IE works fine on this system, no weird pop ups, no weird behavior. I made sure - the ethernet IP and wireless IP assigned to this laptop were definitely those associated in the web server logs to the 'propfind WebDAV' traffic. But for the most part, this laptop looks fine. So, a rather dumb DoS attack seems to be coming from a fairly well hidden virus\malware. Also of note, it seems to have been getting past IDS\IPS systems, though those system's filters can now be adjusted to detect this traffic. I don't know if this DoS is able to get past IPS systems due to dumb luck or because whoever made it knew how to tweak it to fly under IPS radar. If the latter, that's rather worrisome. Hi Guys,
I search for this Error on GOOGLE 6.0.6001 and i Got this. This is my full error log. 2009-05-04 15:02:33 172.16.0.17 PROPFIND /setup$ - 80 - 172.16.0.10 Microsoft-WebDAV-MiniRedir/6.0.6001 404 0 2 202 Im Running Server 2008 and IIS7.0 and first noticed this error when my Vista machines could not access or view my web site. I am know having the same problems but with XP Machines. None of these machines can access my site from the Internet but can access it sometime from my local IP Ports. Im looking into this issue but if anyone gets any idears on what to do to fix it please let me know. TPARK Thomas:
Is this server running SharePoint? If so, that could be legitimate traffic. If not, do you have something like URLScan, etc? It could be id'ing that as DoS attempts and auto-blocking those clients as a result perhaps. Chad Show quoteHide quote "Thomas Park" wrote: > Hi Guys, > > I search for this Error on GOOGLE 6.0.6001 and i Got this. > This is my full error log. > > 2009-05-04 15:02:33 172.16.0.17 PROPFIND /setup$ - 80 - 172.16.0.10 > Microsoft-WebDAV-MiniRedir/6.0.6001 404 0 2 202 > > Im Running Server 2008 and IIS7.0 and first noticed this error when my Vista > machines could not access or view my web site. I am know having the same > problems but with XP Machines. None of these machines can access my site from > the Internet but can access it sometime from my local IP Ports. > > Im looking into this issue but if anyone gets any idears on what to do to > fix it please let me know. > > TPARK > > >  
Other interesting topics
IIS Web Server 2008
Certificate Mapping - Debugging Domain Account used for IIS6 Anonymous Account Risks? web site access OK by IP but not by name Unable to access site with FQDN Certificate Installation Can't run any ASP script when virtual catalog allows anonymous connections SSL Certificate won't Bind to Default Web Site Server 2008 Managing Virtual Directories in IIS securing a browseable IIS directory |
|||||||||||||||||||||||
