[CentOS] Perhaps slightly OT - Lots of spurious webdav requests.

Mon Sep 15 08:05:58 UTC 2008
Friedrich Clausen <fred at derf.nl>

Hello All,

I am running a CentOS 4.6 file server for a small office network and I
am getting a lot of strange webdav requests from one of the Windows
workstations - I have not configured Webdav on the Windows host
(hereafter "windows-laptop") in question.

Some details - I have configured a Samba share called (say) "share1"
on the CentOS server and the windows-laptop connects to this share
using CIFS, nothing unusual there. But, for some reason,
windows-laptop also tried to access a Webdav folder by the same name
("share1") - lots of log entries such as the following (it seems to
try every two minutes):

10.11.1.95 - - [14/Sep/2008:04:10:32 -0400] "OPTIONS / HTTP/1.1" 200 -
"-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
10.11.1.95 - - [14/Sep/2008:04:10:32 -0400] "PROPFIND /share1
HTTP/1.1" 405 312 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

I have most assuredly not told windows to try and use a Web folder on
the CentOS file server called "/share1", just the CIFS share.

My conclusions -

* Windows is trying to be clever and automatically map CIFS shares to
a Web folder.
* Malware is trying to access a Webfolder by same name as CIFS share.

Any hints from the list would be much appreciated!

Thanks,

Fred.