Solved

Long Webdav request

Posted on 2004-10-25
325 Views
Last Modified: 2008-01-09
Here's where I "think" we're at:

1. We are constantly being locked out of our site hosts system by their Intrusion Detection System. This happens when either browsing the site with Mozilla Firefox, or updating the site with MS FrontPage.

2. Each time this happens, their IDS log shows our IP as initializing a "Long WebDav" request. They have told us the most likely culprit is a virus on our system that is hijacking the packets that we're sending.

3. I'm willing to accept #1 and #2 at this point.

4. Ran Ad-Aware, and this was the logfile, of which all items have now been deleted:

obj[0]=IECache Entry : Cookie:mycomputer@~~local~~/
obj[1]=IECache Entry : Cookie:mycomputer@domainsponsor.com/
obj[2]=IECache Entry : Cookie:mycomputer@adserver.terra.com.br/
obj[3]=IECache Entry : Cookie:mycomputer@landing.domainsponsor.com/
obj[4]=IECache Entry : Cookie:mycomputer@mediaplex.com/
obj[5]=IECache Entry : Cookie:mycomputer@overture.com/
obj[6]=IECache Entry : Cookie:mycomputer@weborama.fr/

Could these items be the cause?
There does not appear to be anything else on my system - so how could a Cookie (which I thought was harmelss) do this?

5. If it is something else entirely, I would very much appreciate any recommendations you may have.

Thanks,
Sean Powell
Your friendly Web Development Page Editor ( and apparently security-minded numnuts )
0
Question by:seanpowell
    8 Comments
     
    LVL 7

    Accepted Solution

    by:
    1.) Install a personal firewall like ZoneAlarm. This way while updating the site, all outbound request can be filtered.

    2.) Recommend to run the Ad-Aware SE Personal Edition 1.05 in Safe Mode.
    http://www.download.com/3000-2144-10045910.html

    with Latest definition file: SE1R14 22.10.2004
    http://www.lavasoftusa.com/support/download/

    3.) Ran Windows Update and update all current Critical Updates...;-)
    0
     
    LVL 31

    Author Comment

    by:seanpowell
    Thanks for your reply.

    1. I'll look into that...

    2. I have Ad-Aware, the logfile was posted. What do you mean by "Safe Mode"

    3. Already done, except for XP SP2, which I'll wait a few years till the bugs are ironed out.

    Is there any way to "confirm" that the problem is indeed on my end?

    Sean
    0
     
    LVL 31

    Author Comment

    by:seanpowell
    Zone Alarm shows this on Startup, I assume it's the IP of my broadband connection?
    169.254.0.0

    I also have this shown as the IP of my computer, when going to showmyip.com (last numbers x'd out)
    65.95.xxx.xx

    So it's correct that I have both, yes?
    0
     
    LVL 11

    Expert Comment

    by:huntersvcs
    What he means, is when the XP LOGO appears, hit F8 to get into the DOS menue.  There you can select SAFE MODE.  By running Ad-Aware at this level, services are not already started that could prevent a clean "repair".
    0
     
    LVL 31

    Author Comment

    by:seanpowell
    Thanks :-)

    I've run a complete Ad-Aware scan in safe mode and nothing.

    I guess want I need to know is this:
    Accessing a site generates a Long WebDAV request, and we are locked out of the hosts IDS for 15 minutes.

    Is there "ANY OTHER" reason for this, besides me having a virus on my system?

    Thanks,
    Sean
    0
     
    LVL 7

    Expert Comment

    by:shahrial
    Try connecting with ZoneAlarm active...any applications trying to run?
    And do you get locked out?

    What Anti-Virus are you running?

    Long WebDAV request can cause Denial of Service (DoS), therefore the counter-measure is quite prudent but a false positive is irritating...
    0
     
    LVL 11

    Assisted Solution

    by:huntersvcs
    Other possible tools:

    Spybot - Search and Destroy
    CWSchredder (especially for hijacked browsers)
    0
     
    LVL 31

    Author Comment

    by:seanpowell
    When the host ran a repair on the extensions, IIS found a problem with something called a Timer. Looks like we're clean.

    Thank you for all your comments here. :-)

    Sean
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    This video Micro Tutorial is the first in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles al…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now