May 31st, 2006

DAV attack in progress?

I have gotten several dozen sets of apparent probes from hosts over the Internet. They look like this:
216.194.106.22 - - [31/May/2006:14:39:03 -0400] "PUT /index.html HTTP/1.0" 404 434 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
216.194.106.22 - - [31/May/2006:14:39:03 -0400] "PUT /index.htm HTTP/1.0" 404 433 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
216.194.106.22 - - [31/May/2006:14:39:03 -0400] "PUT /index.asp HTTP/1.0" 404 433 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
216.194.106.22 - - [31/May/2006:14:39:03 -0400] "PUT /index.php HTTP/1.0" 404 433 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
216.194.106.22 - - [31/May/2006:14:39:03 -0400] "PUT /default.asp HTTP/1.0" 404 435 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
216.194.106.22 - - [31/May/2006:14:39:03 -0400] "PUT /default.htm HTTP/1.0" 404 435 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
Here are some of the hosts involved:
212.180.1.44
213.236.237.147
213.82.208.70
216.120.255.6
216.194.106.22
216.222.193.2
216.55.162.48
217.160.164.139
38.100.80.234
62.75.247.131
63.249.148.1
64.119.187.196
64.214.127.143
65.38.180.8
65.98.70.122
66.159.211.69
66.162.134.131
66.162.134.136
66.221.136.1
69.9.175.242
70.105.222.252
72.36.153.18
72.36.239.114
83.100.49.232
85.101.70.107
87.238.162.28

Many (most?) of those systems seem to also be running web server software.

Has anyone else seen anything like this? They seem to be getting more frequent as the day goes on.