[Dshield] worm(?) using nsiislog.dll exploit?
jayjwa at atr2.ath.cx
Mon Dec 22 18:41:11 GMT 2003
On Sun, 21 Dec 2003, James Affeld wrote:
> Subject: [Dshield] worm(?) using nsiislog.dll exploit?
> I've seen exploit attempts against the 11 web servers I run.
> 16 different hosts from Korea, Germany, etc. have tried to use the nsiislog.dll file in the last month or so. Judging from the way the source port increments to match gaps in the ip addresses of my web servers, I believe it tries every ip in the subnet. I only alert on the successful sessions that contain this exploit so I don't see the "dest. host unreachable" messages. It doesn't send it with the syn packet so I don't hear about the misses, only the hits.
> If this were a tool being used manually, I wouldn't expect to see it from 16 different hosts. The vulnerable .dll gets installed with Windows Media Services on Windows 2000 server/IIS 5.0. The fact that it is not installed by default probably explains the sub-epidemic level of attacks.
There's several tools, actually it's quite wide-spread, I dare say one of
the most popular exploits. A few months back I had a rash of them. I run
Apache. So I mkdir a scripts directory, touch nsiislog.dll, made an error
doc to handle the requests for it (complete with a "colorful" message),
and sat back to watch the fun. I tired of this after about 4 days, and the
probing kept up, so I packed up my httpd and moved it up to port 443,
SSL'ed it and forgot all about nsiislog.dll's. It didn' follow me to that
The tool I saw is a C program (or Perl ones I've seen too) that have a
space to insert a proxy server of the user's choice. You may have had
several guys, using multiple proxies. Out of curiousity, see if some of
the IP's come back running proxy servers.
[jayjwa] RLF#37 Raq glenaal: Nffnfvangr Ovyy Tngrf
[Atr2 Labs] Jvaqbjf vf n qvfrnfr
Finger for proj. "Putting encryption to good use."
=Linux Tough.Powered By Slackware=-HTTPS|FTP|SILC|SSH-=
More information about the list