# What's this in my apache log? ( "PROPFIND /C%24 HTTP/1.

## VanDan

I'm getting this in my apache access log:

```
203.122.81.18 - - [04/Oct/2004:18:41:32 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:41:33 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:42:35 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:42:37 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:43:57 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:43:57 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:45:07 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:45:08 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:45:17 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:46:20 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:46:21 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:47:54 +1000] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

203.122.81.18 - - [04/Oct/2004:18:47:54 +1000] "PROPFIND /C%24 HTTP/1.1" 405 324 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

```

Does anyone know what it is?

2 hits per minute, every minute, seems a bit rude...

Should I just firewall them or what?

----------

## hds

http://forums.devshed.com/archive/t-166086

btw.. just more fun then blocking, is simply re-dericting the request to microsoft.com 

and make sure you choose a huge file, like ie6full or similar  :Laughing: 

----------

## tuxmin

Somone tries to connect to your apache via DAV. This is an extension to http that allow bidirectional transfer of files. If do not have DAV activated in your apache there is nothing to concern about that.

----------

## VanDan

 *hds wrote:*   

> http://forums.devshed.com/archive/t-166086
> 
> btw.. just more fun then blocking, is simply re-dericting the request to microsoft.com 
> 
> and make sure you choose a huge file, like ie6full or similar 

 

Interesting.

So I'd do something like make an 'OPTIONS' folder, and in the index.html file, re-direct to the IE6 download, eh?

I'm no apache / html genius ... I assume you could do the same thing in the apache config file too, but I had a brief look at it, and it looks like it's more trouble than it's worth.

----------

## hds

 *VanDan wrote:*   

> and it looks like it's more trouble than it's worth.

 

yeah right, i was just kidding a little, because IMHO microsoft deserves a little bandwith-abuse for all of this pun  :Wink: 

if you actually need your webserver running to the public, there is no way to get rid of those requests. but if someone else already pointed out correctly - they dont harm your apache anyway. its just annoying (IMHO) if you brose the logs to see whats up. and it is anoying if you are (like me) low on bandwith because all those requests might tie your network down a bit.

or are those requests always from the same IP? checking out the IP i see they belong to an adress range from an ISP. so if you get this from the very same IP for more then 24H you could inform that admin. but my guess is, its just a poor windows user who fetched a worm.

for your record:

```

router:~ # nmap -v 203.122.81.18

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )

No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).

Host  (203.122.81.18) appears to be up ... good.

Initiating Connect() Scan against  (203.122.81.18)

Adding TCP port 1025 (state open).

Adding TCP port 445 (state open).

Adding TCP port 3389 (state open).

Adding TCP port 135 (state open).

Adding TCP port 5000 (state open).

The Connect() Scan took 46 seconds to scan 1542 ports.

Interesting ports on  (203.122.81.18):

(The 1537 ports scanned but not shown below are in state: closed)

Port       State       Service

135/tcp    open        loc-srv

445/tcp    open        microsoft-ds

1025/tcp   open        listen

3389/tcp   open        msrdp

5000/tcp   open        fics

```

----------

