Greetings All,
This morning I noticed that snort had logged a whole lot of
"WEB-IIS nsiislog.dll access" alerts. After several hours of
investigation I decided that there are enough interesting and different
things about this incident to warrant writing a summary of what
happened.
Times are UTC +1200.
Distributed scan from about 40 different sources of port 80 through
130.216.0.0/16 -- start of scan:
07 Aug 03 22:03:18 s tcp 218.145.25.111.49665 -> 130.216.180.100.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 218.145.25.113.60146 -> 130.216.0.1.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 218.145.25.108.37612 -> 130.216.0.3.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 218.145.25.109.59601 -> 130.216.0.4.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 218.145.25.110.17088 -> 130.216.0.5.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 220.73.165.76.60348 -> 130.216.0.7.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 220.73.165.75.47408 -> 130.216.0.6.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 220.73.165.77.47175 -> 130.216.0.8.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 218.145.25.110.17089 -> 130.216.0.9.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 218.145.25.111.56043 -> 130.216.0.10.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 218.145.25.112.55521 -> 130.216.0.11.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 220.73.165.81.58763 -> 130.216.0.12.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 218.145.25.107.16084 -> 130.216.0.13.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 220.73.165.204.46764 -> 130.216.0.17.80 5 0 0 0 S_
07 Aug 03 22:03:48 s tcp 220.73.165.205.24843 -> 130.216.0.18.80 5 0 0 0 S_
07 Aug 03 22:03:48 s tcp 218.145.25.49.13725 -> 130.216.0.19.80 9 0 0 0 S_
07 Aug 03 22:03:48 s tcp 218.145.25.43.26870 -> 130.216.0.20.80 9 0 0 0 S_
Note the distributed source addresses and the sequential nature of the
scan (the records are in time order). All addresses were in
220.73.165.0/24 or 218.145.25.0/24 (both belong to Korea Telecom). Any
machines that responded on port 80 were then probed for nsiss.dll:
#0-(1-806765) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:25 218.145.25.110:52905 130.216.128.94:80 TCP
#1-(1-806764) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:25 218.145.25.107:43230 130.216.128.91:80 TCP
#2-(1-806763) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:25 220.73.165.139:7390 130.216.128.16:80 TCP
#3-(1-806762) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:01 218.145.25.47:42492 130.216.112.111:80 TCP
#4-(1-806761) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:00 218.145.25.46:45670 130.216.112.103:80 TCP
#5-(1-806760) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:00 218.145.25.45:57991 130.216.112.102:80 TCP
#6-(1-806759) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:00 218.145.25.44:57460 130.216.112.101:80 TCP
#7-(1-806758) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 218.145.25.107:39145 130.216.103.95:80 TCP
#8-(1-806757) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 218.145.25.112:16908 130.216.103.25:80 TCP
#9-(1-806756) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 218.145.25.111:43986 130.216.103.24:80 TCP
#10-(1-806754) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:35 218.145.25.43:46740 130.216.98.249:80 TCP
#11-(1-806755) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 220.73.165.12:41855 130.216.103.5:80 TCP
#12-(1-806753) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:31 218.145.25.110:46406 130.216.96.144:80 TCP
About an hour later several machines were attacked from 62.194.21.242
[node-c-15f2.a2000.nl] I suspect that this might be the controller but
I'm just guessing.
08 Aug 03 00:08:44 tcp 62.194.21.242.3109 -> 130.216.1.8.80 5 10 1072 5600 SRA_SPA
08 Aug 03 00:08:45 tcp 62.194.21.242.3110 -> 130.216.1.8.34816 3 0 0 0 S_
08 Aug 03 00:09:06 tcp 62.194.21.242.3115 -> 130.216.1.22.80 8 8 5840 370 SRA_FSRPA
08 Aug 03 00:09:06 tcp 62.194.21.242.3116 -> 130.216.1.22.34816 3 3 0 0 S_RA
08 Aug 03 00:09:20 tcp 62.194.21.242.3118 -> 130.216.1.25.80 6 7 4380 370 SA_FSRPA
08 Aug 03 00:09:23 tcp 62.194.21.242.3119 -> 130.216.1.25.34816 3 3 0 0 S_RA
08 Aug 03 00:09:25 tcp 62.194.21.242.3120 -> 130.216.1.27.80 5 6 4380 370 SA_FSRPA
08 Aug 03 00:09:26 tcp 62.194.21.242.3121 -> 130.216.1.27.34816 3 3 0 0 S_RA
08 Aug 03 00:09:33 tcp 62.194.21.242.3124 -> 130.216.1.202.80 9 14 2680 486 SRA_FSPA
08 Aug 03 00:09:33 tcp 62.194.21.242.3125 -> 130.216.1.202.34816 3 6 0 0 SRA_SRA
08 Aug 03 00:09:40 tcp 62.194.21.242.3126 -> 130.216.11.45.80 3 3 0 0 S_RA
08 Aug 03 00:09:54 tcp 62.194.21.242.3129 -> 130.216.30.1.80 6 7 1668 676 SRA_FSPA
08 Aug 03 00:09:56 tcp 62.194.21.242.3130 -> 130.216.30.1.34816 3 3 0 0 S_RA
08 Aug 03 00:10:01 tcp 62.194.21.242.3131 -> 130.216.30.31.80 8 8 2780 676 SRA_FSRPA0
packet dump of exploit code:
000 : 50 4F 53 54 20 2F 73 63 72 69 70 74 73 2F 6E 73 POST /scripts/ns
010 : 69 69 73 6C 6F 67 2E 64 6C 6C 20 48 54 54 50 2F iislog.dll HTTP/
020 : 31 2E 30 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 1.0..Accept: */*
030 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4E 53 ..User-Agent: NS
040 : 50 6C 61 79 65 72 2F 34 2E 31 2E 30 2E 33 39 31 Player/4.1.0.391
050 : 37 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 7..Content-Type:
060 : 20 74 65 78 74 2F 70 6C 61 69 6E 0D 0A 43 6F 6E text/plain..Con
070 : 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 39 39 39 tent-Length: 999
080 : 36 0D 0A 50 72 61 67 6D 61 3A 20 78 43 6C 69 65 6..Pragma: xClie
090 : 6E 74 47 55 49 44 3D 7B 38 39 66 34 35 31 65 30 ntGUID={89f451e0
0a0 : 2D 61 34 39 31 2D 34 33 34 36 2D 61 64 37 38 2D -a491-4346-ad78-
0b0 : 34 64 35 35 61 61 63 38 39 30 34 35 7D 0D 0A 0D 4d55aac89045}...
0c0 : 0A 4D 58 5F 53 54 41 54 53 5F 4C 6F 67 4C 69 6E .MX_STATS_LogLin
0d0 : 65 3A 20 CC CC CC CC CC CC CC CC CC CC CC CC CC e: .............
0e0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
0f0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
100 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
110 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
..............
The exploit is almost certainly
http://www.securityfocus.com/bid/8035/exploit/
This is an IIS bug that was fixed by MS03-018:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-018.asp
In the argus logs above you can see the exploit attempt followed
immediately by a probe for the shell on port 34816.
Several hours later the scan an probes were repeated, this time from a
single machine:
08 Aug 03 09:02:28 tcp 203.253.177.80.2378 -> 130.216.0.3.80 2 0 0 0 S_
08 Aug 03 09:02:28 tcp 203.253.177.80.2377 -> 130.216.0.2.80 2 0 0 0 S_
08 Aug 03 09:02:28 tcp 203.253.177.80.2376 -> 130.216.0.1.80 1 0 0 0 S_
08 Aug 03 09:02:28 tcp 203.253.177.80.2379 -> 130.216.0.4.80 2 0 0 0 S_
08 Aug 03 09:02:28 tcp 203.253.177.80.2380 -> 130.216.0.5.80 2 0 0 0 S_
08 Aug 03 09:02:28 tcp 203.253.177.80.2381 -> 130.216.0.6.80 2 0 0 0 S_
08 Aug 03 09:02:28 tcp 203.253.177.80.2382 -> 130.216.0.7.80 2 0 0 0 S_
08 Aug 03 09:02:28 tcp 203.253.177.80.2383 -> 130.216.0.8.80 2 0 0 0 S_
08 Aug 03 09:02:28 tcp 203.253.177.80.2384 -> 130.216.0.9.80 2 0 0 0 S_
08 Aug 03 09:02:28 tcp 203.253.177.80.2387 -> 130.216.0.12.80 2 0 0 0 S_
......
No, we did not get any systems compromised (I'd like to believe that
this is because all our admins have applied MS03-018, but I guess I'd be
deluding myself ;)
--
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 12:07:17 PDT