none
SharePoint Service 3.0 - _vti_bin folder

    Question

  • Hello everyone,

    On Sept 8th I've noticed that our SharePoint Services 3.0 web site had over 300,000 total page access (from one IP) to /_vti_bin/shtml.dll/_vti_rpc.

    What is the /_vti_bin folder used for? Is this for web services?

    When I request this page directly I am presented with the following:

    method= 
    
    status= 
    
    status=262147 
    osstatus=0 
    msg=No "CONTENT_TYPE" in CGI environment. 
    osmsg= 

    Any ideas why this might be happening? Would Web Dav activity be causing this?

    Tuesday, September 13, 2011 4:47 PM

All replies

  • Hi,

    Yes, /_vti_bin folder is for web services. please refer to:

    http://msdn.microsoft.com/en-us/library/bb862916(v=office.12).aspx

    Most of communications between moss 2007 and other applications like sharepoint designer 2007 and so on are based on web services.

    Seven Ma

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tnmff@microsoft.com 

    Wednesday, September 14, 2011 2:17 AM
  • Hi Seven,

    Thanks for much for providing that information, now I understand what that directory is used for :)

    Here is a snippit at a particular time in the logs in which I'm concerned about:

    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 46
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 31
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 46
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 46
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 46
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 46
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 62
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 46
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 62
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 46
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 46
    2011-09-08 02:27:40 OURIP  POST /_vti_bin/shtml.dll/_vti_rpc - OURPORT - 96.52.140.94 MSFrontPage/12.0 401 5 0 46

    Does SharePoint Services 3.0 have frontpage enabled somehow? According to these log file records, it looks like these are 401 errors which indicates this IP was not authorized to access that resource correct?

    Wednesday, September 14, 2011 3:58 PM
  • Hi,

    Sharepoint designer 2007 is based on MSFrontPage.

    From the error message, it is mean that the user account under which you connect to sharepoint web services has no proper permissions but the IP was not authorized to access the resource.

    You can use one of administrators to log on the server and open sharepoint designer 2007 to check the result.

    Seven Ma

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tnmff@microsoft.com 

     

    • Edited by Seven M Thursday, September 15, 2011 8:31 AM
    Thursday, September 15, 2011 8:30 AM
  • _vti_bin is a virtual directory which is mapped to Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\isapi directory.This virtual directory automatically gets created whenever a new webapplication is created.

    MSFrontPage/12.0  represents the usage of Microsoft Office SharePoint designer by user.I think all these entries indicate that SharePoint designer has been used to aceess the webservice hosted in /_vti_bin/shtml.dll.

    Hope this is helpful.

    Bivsworld

    Thursday, September 15, 2011 12:03 PM
  • Thanks so much for the feedback so far.

    I've looked up the IP and it belongs to an ISP here in the city I live in.

    I'm a bit concerned that SharePoint Designer is being used, especially at that time block (2am).

    The IT staff here at work (myself and my co-worker) are the only persons who should be using SharePoint Designer.

    I know staff will use Explorer View to manage documents sometimes, could MSFrontPage/12.0 indicate possible Web Dav activity?

    Thursday, September 15, 2011 4:01 PM
  • Anyone know if MSFrontPage/12.0 could possibly be anything else besides SharePoint Designer or Front Page?
    Friday, September 16, 2011 8:26 PM
  • Hey everyone,

    This is happening again (yesterday).

    400,000 total connections to /_vti_bin/shtml.dll/_vti_rpc

    I've now blocked this IP but I'm wondering what is causing so many connections from this host? Most likely malware ?

    Friday, September 16, 2011 10:24 PM
  • Hello,

    The traffic pattern you mentioned is not result of a library being opened in Explorer view. When a document library is opened in Explorer view you'll see pattern with only OPTIONS and PROPFIND.
    Example pattern when opening a SharePoint document library using Explorer View:

    2011-09-20 15:01:58 <ServerIP> OPTIONS /My+Documents - <PORT> - <ClientIP> Microsoft-WebDAV-MiniRedir/<OS Version Number> 401 2 5 52
    2011-09-20 15:01:58 <ServerIP> OPTIONS /My+Documents - <PORT> <Domain\User> <ClientIP> Microsoft-WebDAV-MiniRedir/<OS Version Number> 200 0 64 37
    2011-09-20 15:01:58 <ServerIP> PROPFIND /My+Documents - <PORT> - <ClientIP> Microsoft-WebDAV-MiniRedir/<OS Version Number> 401 2 5 26
    2011-09-20 15:01:58 <ServerIP> PROPFIND /My+Documents - <PORT> <Domain\User> <ClientIP> Microsoft-WebDAV-MiniRedir/<OS Version Number> 207 0 0 41
    

    The pattern you've mentioned is generated when a Microsoft Office (e.g. Microsoft Word) document residing in a SharePoint Site is opened in Microsoft Word in Edit mode and saved after editing.
    Example pattern when editing a document on SharePoint document library using MS Word:
    2011-09-20 15:16:04 <ServerIP> OPTIONS /My+Documents/Forms/ - <PORT> <Domain\User> <ClientIP> Microsoft+Office+Protocol+Discovery 200 0 0 84
    2011-09-20 15:16:04 <ServerIP> GET /_vti_inf.html - 80 Domain\User <ClientIP> Mozilla/4.0+(compatible;+MS+FrontPage+14.0) 200 0 0 37
    2011-09-20 15:16:04 <ServerIP> POST /_vti_bin/shtml.dll/_vti_rpc - <PORT> <Domain\User> <ClientIP> MSFrontPage/14.0 200 0 0 21
    2011-09-20 15:16:04 <ServerIP> POST /_vti_bin/shtml.dll/_vti_rpc - <PORT> - <ClientIP> MSFrontPage/14.0 401 2 5 6
    2011-09-20 15:16:04 <ServerIP> POST /_vti_bin/shtml.dll/_vti_rpc - <PORT> <Domain\User> <ClientIP> MSFrontPage/14.0 200 0 0 47
    

    Please note first 401.2 is expected as any client will try to access the SharePoint site with Anonymous Authentication and if it cannot (as its not an anonymous site); it will send back a authentication challenge based on the Authentication Method set on SharePoint Web Application and get authenticated and hence a response code of 200.0.

     

    However, from your notes: You are receiving 401.5 which isnt really expected. If you think the requests are coming from a trusted source then check if the following resources can be useful for you.


    Please remember to click 'Mark as Answer' on the post that helps you or click 'Unmark as Answer' if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Regards,
    Nishant Shah
    Microsoft Online Community Support

    Tuesday, September 20, 2011 3:43 PM
    Moderator
  • Hey Nishant Sh,

    Thanks so much for the links and your response. Sorry for the delay in my response, I was away for a few days.

    1) We are not running SharePoint Team Services. I've actually never heard of that product before :/ That doesn't say much though :)

    2) I'm more concerned with the amount of requests, we are talking thousands. It definitly looks automated.

    Has no one else seen similar traffic?

    Also, does this look like something that is possibly happening to us?

    http://technet.microsoft.com/en-us/security/bulletin/ms02-053

     

     


    • Edited by dwildgoose Wednesday, September 21, 2011 9:39 PM
    Wednesday, September 21, 2011 9:38 PM
  • Hello,

    I provided the link for "Overview of the SharePoint Team Services Architecture" just so that you can understand the functionality provided by shtml.dll. Also, I provided information about what can cause this kind of traffic in the above post, not sure how far that'd be helpful to you.

    I dont believe you'll be impacted by http://technet.microsoft.com/en-us/security/bulletin/ms02-053 considering this doesnt impact WSS 3.0 / MOSS 2007.

    If you get more of these instances from a different IP and you believe these could be attempts to compromise the network security, please open up a support incident with Security team from Microsoft Support. Please visit the below link to see the various support options that are available to better meet your needs: http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone. If you are a MSDN / TechNet subscriber, you can also contact our support by using your free support incidents.


    Please remember to click 'Mark as Answer' on the post that helps you or click 'Unmark as Answer' if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Regards,
    Nishant Shah
    Microsoft Online Community Support
    Thursday, September 22, 2011 1:26 PM
    Moderator