tech question - PROPFIND in my Apache Log

[DonMan]

Something I've never seen before. I'll put my questions below the log:

192.168.1.101 - - [06/Dec/2012:18:38:52 -0500] "GET /Dev/MediaLib/ShowPic.php?idActor=652 HTTP/1.1" 200 142
192.168.1.101 - - [06/Dec/2012:18:40:01 -0500] "GET /Dev/MediaLib/index.php HTTP/1.1" 200 5975
192.168.1.101 - - [06/Dec/2012:18:42:36 -0500] "GET /Dev/MediaLib/index.php HTTP/1.1" 200 5975
192.168.1.102 - - [06/Dec/2012:18:44:50 -0500] "GET /Dev/forumspy/topiclist.php?forum=44-NonSportsTalk HTTP/1.1" 200 17883
192.168.1.102 - - [06/Dec/2012:18:44:57 -0500] "GET /Dev/forumspy/topiclist.php?forum=44-NonSportsTalk HTTP/1.1" 200 17883
192.168.1.102 - - [06/Dec/2012:18:47:05 -0500] "OPTIONS /Users/Public/Videos HTTP/1.1" 200 -
192.168.1.102 - - [06/Dec/2012:18:47:08 -0500] "PROPFIND /Users/Public/Videos HTTP/1.1" 405 330
192.168.1.102 - - [06/Dec/2012:18:47:10 -0500] "PROPFIND /Users/Public HTTP/1.1" 405 323
192.168.1.102 - - [06/Dec/2012:18:47:12 -0500] "PROPFIND /Users/Public/Videos HTTP/1.1" 405 330
192.168.1.102 - - [06/Dec/2012:18:47:15 -0500] "PROPFIND /Users/Public HTTP/1.1" 405 323
192.168.1.101 - - [06/Dec/2012:18:48:50 -0500] "GET /Dev/MediaLib/index.php HTTP/1.1" 200 5975
192.168.1.101 - - [06/Dec/2012:18:48:55 -0500] "GET /Dev/MediaLib/Actors.php HTTP/1.1" 200 10318
192.168.1.102 - - [06/Dec/2012:18:49:06 -0500] "OPTIONS /Users/Public/Videos HTTP/1.1" 200 -
192.168.1.102 - - [06/Dec/2012:18:49:08 -0500] "PROPFIND /Users/Public/Videos HTTP/1.1" 405 330
192.168.1.101 - - [06/Dec/2012:18:49:08 -0500] "GET /Dev/MediaLib/Actors.php?start=G HTTP/1.1" 200 48845
192.168.1.102 - - [06/Dec/2012:18:49:10 -0500] "PROPFIND /Users/Public HTTP/1.1" 405 323
192.168.1.102 - - [06/Dec/2012:18:49:13 -0500] "PROPFIND /Users/Public/Videos HTTP/1.1" 405 330
192.168.1.101 - - [06/Dec/2012:18:49:10 -0500] "GET /Dev/MediaLib/ListMovies.php?idActor=252 HTTP/1.1" 200 3098
192.168.1.101 - - [06/Dec/2012:18:49:12 -0500] "GET /Dev/MediaLib/ListMovies.php?idActor=10 HTTP/1.1" 200 1558
192.168.1.101 - - [06/Dec/2012:18:49:12 -0500] "GET /Dev/MediaLib/ListMovies.php?idActor=155 HTTP/1.1" 200 3218


.101 is the computer that this Apache Server log is from, in my study.
.102 is the computer in my living room, which is also running an Apache Server.
There is nothing unusual in the .102 log.
Neither computer has any ports directly exposed to the outside.
My third computer has it's Apache Server exposed; the only thing in it's log "from the outside" over the last few days is people looking at an image I posted in the Support forum here.

.102 had/has Firefox open with a bunch of tabs. The only thing making regular requests was the "forum spy", a page I wrote that reads kffl every 5 minutes.

I closed Firefox on .102, that didn't stop the issue. Looked in Task Manager and didn't see anything out of the ordinary there. Rebooted .102 and the problem went away.

FWIW, there is no /Users/Public/Videos folder on my computer. I paged back quite a ways and couldn't see any other of these PROPFIND or OPTIONS entries. It just started with the entries posted here, and stopped when I rebooted.


Any thoughts as to what the heck this might have been?

[RayClay]

Has Carrot Top been using your computer?

[trev]

Been years since I have done Unix/Apache stuff but it rings a bell.

I think this is largely a swing and a miss on your up to date and patched OS. This exploit attempt is from years ago and I would bet you have nothing to worry about.

It's just knocking on doors.

[DonMan]

FYI, these are all Windows boxes. The oldest is Windows 2000, the others are Windows 7.

I'm mostly curious as to where this gremlin could have been hiding after I closed Firefox.

I did a little reading on the OPTIONS and PROPFIND commands. Looks like something was trying to see if it had write access to source folders. Of course, that's disabled by default, so I was never at any real risk.

[Hyped]

Stop browsing midget porn...I know Tyke needs to make $$$, but it'll just mess your PC up man...