[Dshield] worm(?) using nsiislog.dll exploit?

WMAVT@aol.com WMAVT at aol.com
Sun Dec 21 20:49:28 GMT 2003


  It seems it has been around sense June did you check here 
                         
http://securityresponse.symantec.com/avcenter/security/Content/8035.html
         I had hits from the same places back when the Red Worm hit, I 
believe there is a group that are working together. The FBI did not seem to care. Oh 
well have fun
                                              Bill

========Original Message======== 
Subj:   [Dshield] worm(?) using nsiislog.dll exploit?   
Date:   12/21/2003 6:56:58 AM Mountain Standard Time    
From:    jimmythegeek at techemail.com (James Affeld)
Sender:    list-bounces at dshield.org
Reply-to: <A HREF="mailto:list at dshield.org">list at dshield.org</A> (General DShield Discussion List)
To:    list at dshield.org
    
    


I've seen exploit attempts against the 11 web servers I run.

16 different hosts from Korea, Germany, etc. have tried to use the 
nsiislog.dll file in the last month or so.  Judging from the way the source port 
increments to match gaps in the ip addresses of my web servers, I believe it tries 
every ip in the subnet.  I only alert on the successful sessions that contain 
this exploit so I don't see the "dest. host unreachable" messages.  It doesn't 
send it with the syn packet so I don't hear about the misses, only the hits.  

bad.guy.ip.address 3445 -> my.ip.address.10
bad.guy.ip.address 3448 -> my.ip.address.13


Here are the references Snort cites.  

http://www.microsoft.com/technet/security/bulletin/ms03-018.asp
http://cgi.nessus.org/plugins/dump.php3?id=11664

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0306&L=NTBUGTRAQ&
P=R4563

If this were a tool being used manually, I wouldn't expect to see it from 16 
different hosts.  The vulnerable .dll gets installed with Windows Media 
Services on Windows 2000 server/IIS 5.0.  The fact that it is not installed by 
default probably explains the sub-epidemic level of attacks.  

_____________________________________________________________
Are you a Techie? Get Your Free Tech Email Address Now! Visit 
http://www.TechEmail.com

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list


----------------------- Headers --------------------------------
Return-Path: <list-bounces at dshield.org>
Received: from  rly-ya06.mx.aol.com (rly-ya06.mail.aol.com [172.18.141.38]) 
by air-ya01.mail.aol.com (v97.14) with ESMTP id MAILINYA14-7733fe5a69a206; Sun, 
21 Dec 2003 08:56:58 -0500
Received: from  mail.giac.net (mail1.giac.net [65.173.218.103]) by 
rly-ya06.mx.aol.com (v97.10) with ESMTP id MAILRELAYINYA69-7733fe5a69a206; Sun, 21 Dec 
2003 08:56:42 -0500
Received: (qmail 22698 invoked from network); 21 Dec 2003 13:56:39 -0000
Received: from  (HELO dshield.com) (@)
  by 0 with SMTP; 21 Dec 2003 13:56:39 -0000
Received: from maverick12.sans.org (localhost.localdomain [127.0.0.1])
    by dshield.com (8.11.6/8.11.6) with ESMTP id hBLDtfk26785;
    Sun, 21 Dec 2003 13:55:41 GMT
Received: from mail.giac.net (iceman1 [65.173.218.103])
    by dshield.com (8.11.6/8.11.6) with SMTP id hBLDNek25304
    for <list at maverick12.sans.org>; Sun, 21 Dec 2003 13:23:40 GMT
Received: (qmail 17362 invoked from network); 21 Dec 2003 13:23:40 -0000
Received: from  (HELO dshield.org) (@)
    by 0 with SMTP; 21 Dec 2003 13:23:40 -0000
Old-Received: (qmail 17359 invoked from network); 21 Dec 2003 13:23:39 -0000
Old-Received: from mail2.giac.net (HELO iceman.incidents.org) (63.100.47.43)
    by 0 with SMTP; 21 Dec 2003 13:23:39 -0000
Old-Received: (qmail 11971 invoked from network); 21 Dec 2003 13:23:39 -0000
Old-Received: from 216.200.145.27.everyone.net (HELO omta06.mta.everyone.net)
    (216.200.145.27) by 0 with SMTP; 21 Dec 2003 13:23:39 -0000
Old-Received: from sitemail.everyone.net (216.200.145.29.everyone.net
    [216.200.145.29])
    by omta06.mta.everyone.net (Postfix) with ESMTP id 7B9AB433C0
    for <list at dshield.org>; Sun, 21 Dec 2003 05:23:38 -0800 (PST)
Old-Received: by sitemail.everyone.net (Postfix, from userid 99)
    id 3A79E3960; Sun, 21 Dec 2003 05:23:38 -0800 (PST)
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Date: Sun, 21 Dec 2003 05:23:38 -0800 (PST)
From: James Affeld <jimmythegeek at techemail.com>
To: list at dshield.org
X-Originating-Ip: [208.27.35.233]
Message-Id: <20031221132338.3A79E3960 at sitemail.everyone.net>
Old-X-Envelope-To: list at dshield.org
X-Seen-By: bob list
X-Envelope-To: UNKNOWN
X-Mailman-Approved-At: Sun, 21 Dec 2003 13:53:24 +0000
Subject: [Dshield] worm(?) using nsiislog.dll exploit?
X-BeenThere: list at dshield.org
X-Mailman-Version: 2.1.3
Precedence: list
Reply-To: General DShield Discussion List <list at dshield.org>
List-Id: General DShield Discussion List <list.dshield.org>
List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
    <mailto:list-request at dshield.org?subject=unsubscribe>
List-Archive: <http://www.dshield.org/pipermail/list>
List-Post: <mailto:list at dshield.org>
List-Help: <mailto:list-request at dshield.org?subject=help>
List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
    <mailto:list-request at dshield.org?subject=subscribe>
Sender: list-bounces at dshield.org
Errors-To: list-bounces at dshield.org
X-AOL-IP: 65.173.218.103
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0







More information about the list mailing list