Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Long Webdav request

Posted on 2004-10-25
8
Medium Priority
?
329 Views
Last Modified: 2008-01-09
Here's where I "think" we're at:

1. We are constantly being locked out of our site hosts system by their Intrusion Detection System. This happens when either browsing the site with Mozilla Firefox, or updating the site with MS FrontPage.

2. Each time this happens, their IDS log shows our IP as initializing a "Long WebDav" request. They have told us the most likely culprit is a virus on our system that is hijacking the packets that we're sending.

3. I'm willing to accept #1 and #2 at this point.

4. Ran Ad-Aware, and this was the logfile, of which all items have now been deleted:

obj[0]=IECache Entry : Cookie:mycomputer@~~local~~/
obj[1]=IECache Entry : Cookie:mycomputer@domainsponsor.com/
obj[2]=IECache Entry : Cookie:mycomputer@adserver.terra.com.br/
obj[3]=IECache Entry : Cookie:mycomputer@landing.domainsponsor.com/
obj[4]=IECache Entry : Cookie:mycomputer@mediaplex.com/
obj[5]=IECache Entry : Cookie:mycomputer@overture.com/
obj[6]=IECache Entry : Cookie:mycomputer@weborama.fr/

Could these items be the cause?
There does not appear to be anything else on my system - so how could a Cookie (which I thought was harmelss) do this?

5. If it is something else entirely, I would very much appreciate any recommendations you may have.

Thanks,
Sean Powell
Your friendly Web Development Page Editor ( and apparently security-minded numnuts )
0
Comment
Question by:seanpowell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 7

Accepted Solution

by:
shahrial earned 1200 total points
ID: 12401688
1.) Install a personal firewall like ZoneAlarm. This way while updating the site, all outbound request can be filtered.

2.) Recommend to run the Ad-Aware SE Personal Edition 1.05 in Safe Mode.
http://www.download.com/3000-2144-10045910.html

with Latest definition file: SE1R14 22.10.2004
http://www.lavasoftusa.com/support/download/

3.) Ran Windows Update and update all current Critical Updates...;-)
0
 
LVL 31

Author Comment

by:seanpowell
ID: 12401818
Thanks for your reply.

1. I'll look into that...

2. I have Ad-Aware, the logfile was posted. What do you mean by "Safe Mode"

3. Already done, except for XP SP2, which I'll wait a few years till the bugs are ironed out.

Is there any way to "confirm" that the problem is indeed on my end?

Sean
0
 
LVL 31

Author Comment

by:seanpowell
ID: 12402044
Zone Alarm shows this on Startup, I assume it's the IP of my broadband connection?
169.254.0.0

I also have this shown as the IP of my computer, when going to showmyip.com (last numbers x'd out)
65.95.xxx.xx

So it's correct that I have both, yes?
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 
LVL 11

Expert Comment

by:huntersvcs
ID: 12404244
What he means, is when the XP LOGO appears, hit F8 to get into the DOS menue.  There you can select SAFE MODE.  By running Ad-Aware at this level, services are not already started that could prevent a clean "repair".
0
 
LVL 31

Author Comment

by:seanpowell
ID: 12411258
Thanks :-)

I've run a complete Ad-Aware scan in safe mode and nothing.

I guess want I need to know is this:
Accessing a site generates a Long WebDAV request, and we are locked out of the hosts IDS for 15 minutes.

Is there "ANY OTHER" reason for this, besides me having a virus on my system?

Thanks,
Sean
0
 
LVL 7

Expert Comment

by:shahrial
ID: 12418623
Try connecting with ZoneAlarm active...any applications trying to run?
And do you get locked out?

What Anti-Virus are you running?

Long WebDAV request can cause Denial of Service (DoS), therefore the counter-measure is quite prudent but a false positive is irritating...
0
 
LVL 11

Assisted Solution

by:huntersvcs
huntersvcs earned 800 total points
ID: 12419282
Other possible tools:

Spybot - Search and Destroy
CWSchredder (especially for hijacked browsers)
0
 
LVL 31

Author Comment

by:seanpowell
ID: 12426943
When the host ran a repair on the extensions, IIS found a problem with something called a Timer. Looks like we're clean.

Thank you for all your comments here. :-)

Sean
0

Featured Post

WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question