Greetings All, This morning I noticed that snort had logged a whole lot of "WEB-IIS nsiislog.dll access" alerts. After several hours of investigation I decided that there are enough interesting and different things about this incident to warrant writing a summary of what happened. Times are UTC +1200. Distributed scan from about 40 different sources of port 80 through 130.216.0.0/16 -- start of scan: 07 Aug 03 22:03:18 s tcp 218.145.25.111.49665 -> 130.216.180.100.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 218.145.25.113.60146 -> 130.216.0.1.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 218.145.25.108.37612 -> 130.216.0.3.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 218.145.25.109.59601 -> 130.216.0.4.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 218.145.25.110.17088 -> 130.216.0.5.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 220.73.165.76.60348 -> 130.216.0.7.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 220.73.165.75.47408 -> 130.216.0.6.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 220.73.165.77.47175 -> 130.216.0.8.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 218.145.25.110.17089 -> 130.216.0.9.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 218.145.25.111.56043 -> 130.216.0.10.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 218.145.25.112.55521 -> 130.216.0.11.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 220.73.165.81.58763 -> 130.216.0.12.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 218.145.25.107.16084 -> 130.216.0.13.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 220.73.165.204.46764 -> 130.216.0.17.80 5 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 220.73.165.205.24843 -> 130.216.0.18.80 5 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 218.145.25.49.13725 -> 130.216.0.19.80 9 0 0 0 S_ 07 Aug 03 22:03:48 s tcp 218.145.25.43.26870 -> 130.216.0.20.80 9 0 0 0 S_ Note the distributed source addresses and the sequential nature of the scan (the records are in time order). All addresses were in 220.73.165.0/24 or 218.145.25.0/24 (both belong to Korea Telecom). Any machines that responded on port 80 were then probed for nsiss.dll: #0-(1-806765) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:25 218.145.25.110:52905 130.216.128.94:80 TCP #1-(1-806764) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:25 218.145.25.107:43230 130.216.128.91:80 TCP #2-(1-806763) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:25 220.73.165.139:7390 130.216.128.16:80 TCP #3-(1-806762) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:01 218.145.25.47:42492 130.216.112.111:80 TCP #4-(1-806761) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:00 218.145.25.46:45670 130.216.112.103:80 TCP #5-(1-806760) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:00 218.145.25.45:57991 130.216.112.102:80 TCP #6-(1-806759) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:00 218.145.25.44:57460 130.216.112.101:80 TCP #7-(1-806758) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 218.145.25.107:39145 130.216.103.95:80 TCP #8-(1-806757) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 218.145.25.112:16908 130.216.103.25:80 TCP #9-(1-806756) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 218.145.25.111:43986 130.216.103.24:80 TCP #10-(1-806754) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:35 218.145.25.43:46740 130.216.98.249:80 TCP #11-(1-806755) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 220.73.165.12:41855 130.216.103.5:80 TCP #12-(1-806753) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:31 218.145.25.110:46406 130.216.96.144:80 TCP About an hour later several machines were attacked from 62.194.21.242 [node-c-15f2.a2000.nl] I suspect that this might be the controller but I'm just guessing. 08 Aug 03 00:08:44 tcp 62.194.21.242.3109 -> 130.216.1.8.80 5 10 1072 5600 SRA_SPA 08 Aug 03 00:08:45 tcp 62.194.21.242.3110 -> 130.216.1.8.34816 3 0 0 0 S_ 08 Aug 03 00:09:06 tcp 62.194.21.242.3115 -> 130.216.1.22.80 8 8 5840 370 SRA_FSRPA 08 Aug 03 00:09:06 tcp 62.194.21.242.3116 -> 130.216.1.22.34816 3 3 0 0 S_RA 08 Aug 03 00:09:20 tcp 62.194.21.242.3118 -> 130.216.1.25.80 6 7 4380 370 SA_FSRPA 08 Aug 03 00:09:23 tcp 62.194.21.242.3119 -> 130.216.1.25.34816 3 3 0 0 S_RA 08 Aug 03 00:09:25 tcp 62.194.21.242.3120 -> 130.216.1.27.80 5 6 4380 370 SA_FSRPA 08 Aug 03 00:09:26 tcp 62.194.21.242.3121 -> 130.216.1.27.34816 3 3 0 0 S_RA 08 Aug 03 00:09:33 tcp 62.194.21.242.3124 -> 130.216.1.202.80 9 14 2680 486 SRA_FSPA 08 Aug 03 00:09:33 tcp 62.194.21.242.3125 -> 130.216.1.202.34816 3 6 0 0 SRA_SRA 08 Aug 03 00:09:40 tcp 62.194.21.242.3126 -> 130.216.11.45.80 3 3 0 0 S_RA 08 Aug 03 00:09:54 tcp 62.194.21.242.3129 -> 130.216.30.1.80 6 7 1668 676 SRA_FSPA 08 Aug 03 00:09:56 tcp 62.194.21.242.3130 -> 130.216.30.1.34816 3 3 0 0 S_RA 08 Aug 03 00:10:01 tcp 62.194.21.242.3131 -> 130.216.30.31.80 8 8 2780 676 SRA_FSRPA0 packet dump of exploit code: 000 : 50 4F 53 54 20 2F 73 63 72 69 70 74 73 2F 6E 73 POST /scripts/ns 010 : 69 69 73 6C 6F 67 2E 64 6C 6C 20 48 54 54 50 2F iislog.dll HTTP/ 020 : 31 2E 30 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 1.0..Accept: */* 030 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4E 53 ..User-Agent: NS 040 : 50 6C 61 79 65 72 2F 34 2E 31 2E 30 2E 33 39 31 Player/4.1.0.391 050 : 37 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 7..Content-Type: 060 : 20 74 65 78 74 2F 70 6C 61 69 6E 0D 0A 43 6F 6E text/plain..Con 070 : 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 39 39 39 tent-Length: 999 080 : 36 0D 0A 50 72 61 67 6D 61 3A 20 78 43 6C 69 65 6..Pragma: xClie 090 : 6E 74 47 55 49 44 3D 7B 38 39 66 34 35 31 65 30 ntGUID={89f451e0 0a0 : 2D 61 34 39 31 2D 34 33 34 36 2D 61 64 37 38 2D -a491-4346-ad78- 0b0 : 34 64 35 35 61 61 63 38 39 30 34 35 7D 0D 0A 0D 4d55aac89045}... 0c0 : 0A 4D 58 5F 53 54 41 54 53 5F 4C 6F 67 4C 69 6E .MX_STATS_LogLin 0d0 : 65 3A 20 CC CC CC CC CC CC CC CC CC CC CC CC CC e: ............. 0e0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................ 0f0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................ 100 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................ 110 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................ .............. The exploit is almost certainly http://www.securityfocus.com/bid/8035/exploit/ This is an IIS bug that was fixed by MS03-018: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-018.asp In the argus logs above you can see the exploit attempt followed immediately by a probe for the shell on port 34816. Several hours later the scan an probes were repeated, this time from a single machine: 08 Aug 03 09:02:28 tcp 203.253.177.80.2378 -> 130.216.0.3.80 2 0 0 0 S_ 08 Aug 03 09:02:28 tcp 203.253.177.80.2377 -> 130.216.0.2.80 2 0 0 0 S_ 08 Aug 03 09:02:28 tcp 203.253.177.80.2376 -> 130.216.0.1.80 1 0 0 0 S_ 08 Aug 03 09:02:28 tcp 203.253.177.80.2379 -> 130.216.0.4.80 2 0 0 0 S_ 08 Aug 03 09:02:28 tcp 203.253.177.80.2380 -> 130.216.0.5.80 2 0 0 0 S_ 08 Aug 03 09:02:28 tcp 203.253.177.80.2381 -> 130.216.0.6.80 2 0 0 0 S_ 08 Aug 03 09:02:28 tcp 203.253.177.80.2382 -> 130.216.0.7.80 2 0 0 0 S_ 08 Aug 03 09:02:28 tcp 203.253.177.80.2383 -> 130.216.0.8.80 2 0 0 0 S_ 08 Aug 03 09:02:28 tcp 203.253.177.80.2384 -> 130.216.0.9.80 2 0 0 0 S_ 08 Aug 03 09:02:28 tcp 203.253.177.80.2387 -> 130.216.0.12.80 2 0 0 0 S_ ...... No, we did not get any systems compromised (I'd like to believe that this is because all our admins have applied MS03-018, but I guess I'd be deluding myself ;) -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 12:07:17 PDT