IIS + WebDAV + IE8 = DOS Attack

**Envision_frodo** · 07-28-2009, 05:06 PM

Probably old news; but FYI:

I recently had an internal (development only) IIS5 server crash a few times unexpectedly. Taking a look at the logs I initially feared a bit of malware had made it onto the network, as it seemed as if an exploit scan/WebDAV DOS attack originated from within the same network:

Code:

15:10:18 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE.bat 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:10:18 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE.com 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:10:18 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE.lnk 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:07 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:07 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:07 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE.bat 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:07 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE.cmd 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:07 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE.exe 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:07 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE.com 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:07 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE.pif 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:08 192.168.XXX.XXX - 80 PROPFIND /err/404.php 404;http://SERVER/SHARE.lnk 404 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.bat - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.ba - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.cmd - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.cm - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.exe - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.ex - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.com - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.co - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.pif - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.pi - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.lnk - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -
15:11:11 192.168.XXX.XXX - 80 PROPFIND /SHARE.ln - 403 Microsoft-WebDAV-MiniRedir/5.1.2600 -

However; after a bit of digging, it appears that the crashes all coincided with network users upgrading to IE8. Each time a network user, with mapping to a share on that IIS server, upgraded, it lead to a crash and log entries similar to those above. I assume this is due to some sort of WebDAV scan that must run during the IE8 install.

Luckily this was simply a development server (and a hidden* one to boot) so the crashes were few and far between.

My solution, disable WebDAV: http://support.microsoft.com/kb/241520
*Hidden via: net config server /hidden:yes

Should have had it disabled already, anyway :P