Heads up! distributed scans and attacks targeting nsiss.dll

Russell Fulton r.fulton at auckland.ac.nz
Fri Aug 8 03:44:34 GMT 2003


Greetings All,
	     This morning I noticed that snort had logged a whole lot of
"WEB-IIS nsiislog.dll access" alerts. After several hours of
investigation I decided that there are enough interesting and different
things about this incident to warrant writing a summary of what
happened.

Times are UTC +1200.

Distributed scan from about 40 different sources of port 80 through
130.216.0.0/16 -- start of scan:

07 Aug 03 22:03:18   s       tcp  218.145.25.111.49665  ->   130.216.180.100.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp  218.145.25.113.60146  ->       130.216.0.1.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp  218.145.25.108.37612  ->       130.216.0.3.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp  218.145.25.109.59601  ->       130.216.0.4.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp  218.145.25.110.17088  ->       130.216.0.5.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp   220.73.165.76.60348  ->       130.216.0.7.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp   220.73.165.75.47408  ->       130.216.0.6.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp   220.73.165.77.47175  ->       130.216.0.8.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp  218.145.25.110.17089  ->       130.216.0.9.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp  218.145.25.111.56043  ->      130.216.0.10.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp  218.145.25.112.55521  ->      130.216.0.11.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp   220.73.165.81.58763  ->      130.216.0.12.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp  218.145.25.107.16084  ->      130.216.0.13.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp  220.73.165.204.46764  ->      130.216.0.17.80    5        0         0            0           S_
07 Aug 03 22:03:48   s       tcp  220.73.165.205.24843  ->      130.216.0.18.80    5        0         0            0           S_
07 Aug 03 22:03:48   s       tcp   218.145.25.49.13725  ->      130.216.0.19.80    9        0         0            0           S_
07 Aug 03 22:03:48   s       tcp   218.145.25.43.26870  ->      130.216.0.20.80    9        0         0            0           S_


Note the distributed source addresses and the sequential nature of the
scan (the records are in time order). All addresses were in
220.73.165.0/24 or 218.145.25.0/24 (both belong to Korea Telecom). Any
machines that responded on port 80 were then probed for nsiss.dll:

#0-(1-806765)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:25       218.145.25.110:52905       130.216.128.94:80       TCP              
#1-(1-806764)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:25       218.145.25.107:43230       130.216.128.91:80       TCP              
#2-(1-806763)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:25       220.73.165.139:7390       130.216.128.16:80       TCP              
#3-(1-806762)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:01       218.145.25.47:42492       130.216.112.111:80       TCP              
#4-(1-806761)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:00       218.145.25.46:45670       130.216.112.103:80       TCP              
#5-(1-806760)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:00       218.145.25.45:57991       130.216.112.102:80       TCP              
#6-(1-806759)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:00       218.145.25.44:57460       130.216.112.101:80       TCP              
#7-(1-806758)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:44       218.145.25.107:39145       130.216.103.95:80       TCP              
#8-(1-806757)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:44       218.145.25.112:16908       130.216.103.25:80       TCP              
#9-(1-806756)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:44       218.145.25.111:43986       130.216.103.24:80       TCP              
#10-(1-806754)      urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:35       218.145.25.43:46740       130.216.98.249:80       TCP              
#11-(1-806755)      urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:44       220.73.165.12:41855       130.216.103.5:80       TCP              
#12-(1-806753)      urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:31       218.145.25.110:46406       130.216.96.144:80       TCP    

About an hour later several machines were attacked from 62.194.21.242
[node-c-15f2.a2000.nl]  I suspect that this might be the controller but
I'm just guessing.

08 Aug 03 00:08:44    tcp   62.194.21.242.3109   ->       130.216.1.8.80    5        10        1072         5600        SRA_SPA
08 Aug 03 00:08:45    tcp   62.194.21.242.3110   ->       130.216.1.8.34816 3        0         0            0           S_
08 Aug 03 00:09:06    tcp   62.194.21.242.3115   ->      130.216.1.22.80    8        8         5840         370         SRA_FSRPA
08 Aug 03 00:09:06    tcp   62.194.21.242.3116   ->      130.216.1.22.34816 3        3         0            0           S_RA
08 Aug 03 00:09:20    tcp   62.194.21.242.3118   ->      130.216.1.25.80    6        7         4380         370         SA_FSRPA
08 Aug 03 00:09:23    tcp   62.194.21.242.3119   ->      130.216.1.25.34816 3        3         0            0           S_RA
08 Aug 03 00:09:25    tcp   62.194.21.242.3120   ->      130.216.1.27.80    5        6         4380         370         SA_FSRPA
08 Aug 03 00:09:26    tcp   62.194.21.242.3121   ->      130.216.1.27.34816 3        3         0            0           S_RA
08 Aug 03 00:09:33    tcp   62.194.21.242.3124   ->     130.216.1.202.80    9        14        2680         486         SRA_FSPA
08 Aug 03 00:09:33    tcp   62.194.21.242.3125   ->     130.216.1.202.34816 3        6         0            0           SRA_SRA
08 Aug 03 00:09:40    tcp   62.194.21.242.3126   ->     130.216.11.45.80    3        3         0            0           S_RA
08 Aug 03 00:09:54    tcp   62.194.21.242.3129   ->      130.216.30.1.80    6        7         1668         676         SRA_FSPA
08 Aug 03 00:09:56    tcp   62.194.21.242.3130   ->      130.216.30.1.34816 3        3         0            0           S_RA
08 Aug 03 00:10:01    tcp   62.194.21.242.3131   ->     130.216.30.31.80    8        8         2780         676         SRA_FSRPA0

packet dump of exploit code:

000 : 50 4F 53 54 20 2F 73 63 72 69 70 74 73 2F 6E 73   POST /scripts/ns
010 : 69 69 73 6C 6F 67 2E 64 6C 6C 20 48 54 54 50 2F   iislog.dll HTTP/
020 : 31 2E 30 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A   1.0..Accept: */*
030 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4E 53   ..User-Agent: NS
040 : 50 6C 61 79 65 72 2F 34 2E 31 2E 30 2E 33 39 31   Player/4.1.0.391
050 : 37 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A   7..Content-Type:
060 : 20 74 65 78 74 2F 70 6C 61 69 6E 0D 0A 43 6F 6E    text/plain..Con
070 : 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 39 39 39   tent-Length: 999
080 : 36 0D 0A 50 72 61 67 6D 61 3A 20 78 43 6C 69 65   6..Pragma: xClie
090 : 6E 74 47 55 49 44 3D 7B 38 39 66 34 35 31 65 30   ntGUID={89f451e0
0a0 : 2D 61 34 39 31 2D 34 33 34 36 2D 61 64 37 38 2D   -a491-4346-ad78-
0b0 : 34 64 35 35 61 61 63 38 39 30 34 35 7D 0D 0A 0D   4d55aac89045}...
0c0 : 0A 4D 58 5F 53 54 41 54 53 5F 4C 6F 67 4C 69 6E   .MX_STATS_LogLin
0d0 : 65 3A 20 CC CC CC CC CC CC CC CC CC CC CC CC CC   e: .............
0e0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC   ................
0f0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC   ................
100 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC   ................
110 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC   ................
..............

The exploit is almost certainly 
http://www.securityfocus.com/bid/8035/exploit/

This is an IIS bug that was fixed by MS03-018:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-018.asp

In the argus logs above you can see the exploit attempt followed
immediately by a probe for the shell on port 34816.

Several hours later the scan an probes were repeated, this time from a
single machine:

08 Aug 03 09:02:28    tcp  203.253.177.80.2378   ->       130.216.0.3.80    2        0         0            0           S_
08 Aug 03 09:02:28    tcp  203.253.177.80.2377   ->       130.216.0.2.80    2        0         0            0           S_
08 Aug 03 09:02:28    tcp  203.253.177.80.2376   ->       130.216.0.1.80    1        0         0            0           S_
08 Aug 03 09:02:28    tcp  203.253.177.80.2379   ->       130.216.0.4.80    2        0         0            0           S_
08 Aug 03 09:02:28    tcp  203.253.177.80.2380   ->       130.216.0.5.80    2        0         0            0           S_
08 Aug 03 09:02:28    tcp  203.253.177.80.2381   ->       130.216.0.6.80    2        0         0            0           S_
08 Aug 03 09:02:28    tcp  203.253.177.80.2382   ->       130.216.0.7.80    2        0         0            0           S_
08 Aug 03 09:02:28    tcp  203.253.177.80.2383   ->       130.216.0.8.80    2        0         0            0           S_
08 Aug 03 09:02:28    tcp  203.253.177.80.2384   ->       130.216.0.9.80    2        0         0            0           S_
08 Aug 03 09:02:28    tcp  203.253.177.80.2387   ->      130.216.0.12.80    2        0         0            0           S_
......

No, we did not get any systems compromised (I'd like to believe that
this is because all our admins have applied MS03-018, but I guess I'd be
deluding myself ;)

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.



More information about the unisog mailing list