[unisog] Heads up! distributed scans and attacks targeting nsiss.dll

Anderson Johnston andy at umbc.edu
Fri Aug 8 19:16:57 GMT 2003



This was in our scan summary for 29 jul 2003:

Scanner IP              # Targets               Ports                   Type
-------------------     --------------          -----------             -----------
218.145.25.43           816                     80                      SYN
218.145.25.44           874                     80                      SYN
218.145.25.45           766                     80                      SYN
218.145.25.46           759                     80                      SYN
218.145.25.47           565                     80                      SYN
218.145.25.48           499                     80                      SYN
218.145.25.49           606                     80                      SYN
218.145.25.107          823                     80                      SYN
218.145.25.108          967                     80                      SYN
218.145.25.109          978                     80                      SYN
218.145.25.110          962                     80                      SYN
218.145.25.112          906                     80                      SYN
218.145.25.113          827                     80                      SYN

and here's an excerpt of the scan report itself:

Jul 29 18:05:01 218.145.25.113:22500 -> MY.NET.1.60:80 SYN ******S*
Jul 29 18:05:01 218.145.25.113:22502 -> MY.NET.1.78:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22507 -> MY.NET.1.124:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22499 -> MY.NET.1.53:80 SYN ******S*
Jul 29 18:05:01 218.145.25.113:22505 -> MY.NET.1.122:80 SYN ******S*
Jul 29 18:05:01 218.145.25.113:22496 -> MY.NET.1.14:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22529 -> MY.NET.2.20:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22519 -> MY.NET.1.206:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22523 -> MY.NET.1.245:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22516 -> MY.NET.1.181:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22531 -> MY.NET.2.27:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22524 -> MY.NET.1.250:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22518 -> MY.NET.1.193:80 SYN ******S*
Jul 29 18:05:04 218.145.25.113:22531 -> MY.NET.2.27:80 SYN ******S*
Jul 29 18:05:05 218.145.25.113:22656 -> MY.NET.2.212:80 SYN ******S*
Jul 29 18:05:05 218.145.25.113:22660 -> MY.NET.3.12:80 SYN ******S*
Jul 29 18:05:05 218.145.25.113:22679 -> MY.NET.3.186:80 SYN ******S*
Jul 29 18:05:05 218.145.25.113:22680 -> MY.NET.3.191:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59445 -> MY.NET.1.191:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59448 -> MY.NET.1.204:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59442 -> MY.NET.1.184:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59437 -> MY.NET.1.138:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59426 -> MY.NET.1.74:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59431 -> MY.NET.1.113:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59423 -> MY.NET.1.70:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59457 -> MY.NET.2.30:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59455 -> MY.NET.2.16:80 SYN ******S*
Jul 29 18:05:05 218.145.25.109:59547 -> MY.NET.2.144:80 SYN ******S*
Jul 29 18:05:05 218.145.25.109:59559 -> MY.NET.2.229:80 SYN ******S*
Jul 29 18:05:05 218.145.25.109:59560 -> MY.NET.2.233:80 SYN ******S*

My times are GMT -0400, so the scan started around 22:00 jul 29 GMT .
Yours were around 10:00 aug 03 GMT.  MY.NET is 130.85.  It seems a long
time to get from 130.85 to 130.216 if the scan just stepped up the
addresses.

On 8 Aug 2003, Russell Fulton wrote:

> Greetings All,
> 	     This morning I noticed that snort had logged a whole lot of
> "WEB-IIS nsiislog.dll access" alerts. After several hours of
> investigation I decided that there are enough interesting and different
> things about this incident to warrant writing a summary of what
> happened.
>
> Times are UTC +1200.
>
> Distributed scan from about 40 different sources of port 80 through
> 130.216.0.0/16 -- start of scan:
>
> 07 Aug 03 22:03:18   s       tcp  218.145.25.111.49665  ->   130.216.180.100.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp  218.145.25.113.60146  ->       130.216.0.1.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp  218.145.25.108.37612  ->       130.216.0.3.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp  218.145.25.109.59601  ->       130.216.0.4.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp  218.145.25.110.17088  ->       130.216.0.5.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp   220.73.165.76.60348  ->       130.216.0.7.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp   220.73.165.75.47408  ->       130.216.0.6.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp   220.73.165.77.47175  ->       130.216.0.8.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp  218.145.25.110.17089  ->       130.216.0.9.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp  218.145.25.111.56043  ->      130.216.0.10.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp  218.145.25.112.55521  ->      130.216.0.11.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp   220.73.165.81.58763  ->      130.216.0.12.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp  218.145.25.107.16084  ->      130.216.0.13.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp  220.73.165.204.46764  ->      130.216.0.17.80    5        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp  220.73.165.205.24843  ->      130.216.0.18.80    5        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp   218.145.25.49.13725  ->      130.216.0.19.80    9        0         0            0           S_
> 07 Aug 03 22:03:48   s       tcp   218.145.25.43.26870  ->      130.216.0.20.80    9        0         0            0           S_
>
>
> Note the distributed source addresses and the sequential nature of the
> scan (the records are in time order). All addresses were in
> 220.73.165.0/24 or 218.145.25.0/24 (both belong to Korea Telecom). Any
> machines that responded on port 80 were then probed for nsiss.dll:
>
> #0-(1-806765)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:25       218.145.25.110:52905       130.216.128.94:80       TCP
> #1-(1-806764)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:25       218.145.25.107:43230       130.216.128.91:80       TCP
> #2-(1-806763)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:25       220.73.165.139:7390       130.216.128.16:80       TCP
> #3-(1-806762)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:01       218.145.25.47:42492       130.216.112.111:80       TCP
> #4-(1-806761)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:00       218.145.25.46:45670       130.216.112.103:80       TCP
> #5-(1-806760)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:00       218.145.25.45:57991       130.216.112.102:80       TCP
> #6-(1-806759)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:09:00       218.145.25.44:57460       130.216.112.101:80       TCP
> #7-(1-806758)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:44       218.145.25.107:39145       130.216.103.95:80       TCP
> #8-(1-806757)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:44       218.145.25.112:16908       130.216.103.25:80       TCP
> #9-(1-806756)       urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:44       218.145.25.111:43986       130.216.103.24:80       TCP
> #10-(1-806754)      urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:35       218.145.25.43:46740       130.216.98.249:80       TCP
> #11-(1-806755)      urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:44       220.73.165.12:41855       130.216.103.5:80       TCP
> #12-(1-806753)      urlnessus[snort] WEB-IIS nsiislog.dll access       2003-08-07 22:08:31       218.145.25.110:46406       130.216.96.144:80       TCP
>
> About an hour later several machines were attacked from 62.194.21.242
> [node-c-15f2.a2000.nl]  I suspect that this might be the controller but
> I'm just guessing.
>
> 08 Aug 03 00:08:44    tcp   62.194.21.242.3109   ->       130.216.1.8.80    5        10        1072         5600        SRA_SPA
> 08 Aug 03 00:08:45    tcp   62.194.21.242.3110   ->       130.216.1.8.34816 3        0         0            0           S_
> 08 Aug 03 00:09:06    tcp   62.194.21.242.3115   ->      130.216.1.22.80    8        8         5840         370         SRA_FSRPA
> 08 Aug 03 00:09:06    tcp   62.194.21.242.3116   ->      130.216.1.22.34816 3        3         0            0           S_RA
> 08 Aug 03 00:09:20    tcp   62.194.21.242.3118   ->      130.216.1.25.80    6        7         4380         370         SA_FSRPA
> 08 Aug 03 00:09:23    tcp   62.194.21.242.3119   ->      130.216.1.25.34816 3        3         0            0           S_RA
> 08 Aug 03 00:09:25    tcp   62.194.21.242.3120   ->      130.216.1.27.80    5        6         4380         370         SA_FSRPA
> 08 Aug 03 00:09:26    tcp   62.194.21.242.3121   ->      130.216.1.27.34816 3        3         0            0           S_RA
> 08 Aug 03 00:09:33    tcp   62.194.21.242.3124   ->     130.216.1.202.80    9        14        2680         486         SRA_FSPA
> 08 Aug 03 00:09:33    tcp   62.194.21.242.3125   ->     130.216.1.202.34816 3        6         0            0           SRA_SRA
> 08 Aug 03 00:09:40    tcp   62.194.21.242.3126   ->     130.216.11.45.80    3        3         0            0           S_RA
> 08 Aug 03 00:09:54    tcp   62.194.21.242.3129   ->      130.216.30.1.80    6        7         1668         676         SRA_FSPA
> 08 Aug 03 00:09:56    tcp   62.194.21.242.3130   ->      130.216.30.1.34816 3        3         0            0           S_RA
> 08 Aug 03 00:10:01    tcp   62.194.21.242.3131   ->     130.216.30.31.80    8        8         2780         676         SRA_FSRPA0
>
> packet dump of exploit code:
>
> 000 : 50 4F 53 54 20 2F 73 63 72 69 70 74 73 2F 6E 73   POST /scripts/ns
> 010 : 69 69 73 6C 6F 67 2E 64 6C 6C 20 48 54 54 50 2F   iislog.dll HTTP/
> 020 : 31 2E 30 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A   1.0..Accept: */*
> 030 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4E 53   ..User-Agent: NS
> 040 : 50 6C 61 79 65 72 2F 34 2E 31 2E 30 2E 33 39 31   Player/4.1.0.391
> 050 : 37 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A   7..Content-Type:
> 060 : 20 74 65 78 74 2F 70 6C 61 69 6E 0D 0A 43 6F 6E    text/plain..Con
> 070 : 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 39 39 39   tent-Length: 999
> 080 : 36 0D 0A 50 72 61 67 6D 61 3A 20 78 43 6C 69 65   6..Pragma: xClie
> 090 : 6E 74 47 55 49 44 3D 7B 38 39 66 34 35 31 65 30   ntGUID={89f451e0
> 0a0 : 2D 61 34 39 31 2D 34 33 34 36 2D 61 64 37 38 2D   -a491-4346-ad78-
> 0b0 : 34 64 35 35 61 61 63 38 39 30 34 35 7D 0D 0A 0D   4d55aac89045}...
> 0c0 : 0A 4D 58 5F 53 54 41 54 53 5F 4C 6F 67 4C 69 6E   .MX_STATS_LogLin
> 0d0 : 65 3A 20 CC CC CC CC CC CC CC CC CC CC CC CC CC   e: .............
> 0e0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC   ................
> 0f0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC   ................
> 100 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC   ................
> 110 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC   ................
> ..............
>
> The exploit is almost certainly
> http://www.securityfocus.com/bid/8035/exploit/
>
> This is an IIS bug that was fixed by MS03-018:
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-018.asp
>
> In the argus logs above you can see the exploit attempt followed
> immediately by a probe for the shell on port 34816.
>
> Several hours later the scan an probes were repeated, this time from a
> single machine:
>
> 08 Aug 03 09:02:28    tcp  203.253.177.80.2378   ->       130.216.0.3.80    2        0         0            0           S_
> 08 Aug 03 09:02:28    tcp  203.253.177.80.2377   ->       130.216.0.2.80    2        0         0            0           S_
> 08 Aug 03 09:02:28    tcp  203.253.177.80.2376   ->       130.216.0.1.80    1        0         0            0           S_
> 08 Aug 03 09:02:28    tcp  203.253.177.80.2379   ->       130.216.0.4.80    2        0         0            0           S_
> 08 Aug 03 09:02:28    tcp  203.253.177.80.2380   ->       130.216.0.5.80    2        0         0            0           S_
> 08 Aug 03 09:02:28    tcp  203.253.177.80.2381   ->       130.216.0.6.80    2        0         0            0           S_
> 08 Aug 03 09:02:28    tcp  203.253.177.80.2382   ->       130.216.0.7.80    2        0         0            0           S_
> 08 Aug 03 09:02:28    tcp  203.253.177.80.2383   ->       130.216.0.8.80    2        0         0            0           S_
> 08 Aug 03 09:02:28    tcp  203.253.177.80.2384   ->       130.216.0.9.80    2        0         0            0           S_
> 08 Aug 03 09:02:28    tcp  203.253.177.80.2387   ->      130.216.0.12.80    2        0         0            0           S_
> ......
>
> No, we did not get any systems compromised (I'd like to believe that
> this is because all our admins have applied MS03-018, but I guess I'd be
> deluding myself ;)
>
> --
> Russell Fulton, Network Security Officer, The University of Auckland,
> New Zealand.
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------




More information about the unisog mailing list