[ale] File does not exist: _vti_bin | MSOffice
Jim Popovitch
yahoo at jimpop.com
Wed Nov 19 22:30:28 EST 2008
On Wed, Nov 19, 2008 at 22:15, Robert Coggins <ale at cogginsnet.com> wrote:
> I believe _vti_bin is a frontpage extension. Most likely it is someone
> trying to exploit your server hoping for an unpatched MS box. Could be
> an honest mistake of someone connecting to your servers with frontpage,
> however I doubt it.
;-) That's the big question that I am trying to get a definitive
answer on. Nobody seems to know... a lot suspect like you (and I) do
that it is eyebrow raising. However, I have seen IE "browsers" do all
sorts of things that are questionable but generally the user doesn't
know the IE engine is doing those things.
For instance, I've seen IE/Outlook PROPFIND (Webdav) hits appear on
one domain from unsuspecting remote users who receive (SMTP) email
from a different subdomain. SO many so that I added an Apache rule
just to keep the errors out of the logs:
RewriteCond %{REQUEST_METHOD} PROPFIND [nocase]
RewriteRule .*$
http://www.microsoft.com/instmsg/aliases/only-lame-software-automatically-tells-the-world-that-the-recipient-is-reading-the-senders-email
[last,redirect=permanent]
;-)
Back to _vti_bin, It's not quite clear to me that accessing that dir,
or MSOffice, is intentional malicious behavior, despite how unusual it
is.
-Jim P.
More information about the Ale
mailing list