This was in our scan summary for 29 jul 2003:
Scanner IP # Targets Ports Type
------------------- -------------- ----------- -----------
218.145.25.43 816 80 SYN
218.145.25.44 874 80 SYN
218.145.25.45 766 80 SYN
218.145.25.46 759 80 SYN
218.145.25.47 565 80 SYN
218.145.25.48 499 80 SYN
218.145.25.49 606 80 SYN
218.145.25.107 823 80 SYN
218.145.25.108 967 80 SYN
218.145.25.109 978 80 SYN
218.145.25.110 962 80 SYN
218.145.25.112 906 80 SYN
218.145.25.113 827 80 SYN
and here's an excerpt of the scan report itself:
Jul 29 18:05:01 218.145.25.113:22500 -> MY.NET.1.60:80 SYN ******S*
Jul 29 18:05:01 218.145.25.113:22502 -> MY.NET.1.78:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22507 -> MY.NET.1.124:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22499 -> MY.NET.1.53:80 SYN ******S*
Jul 29 18:05:01 218.145.25.113:22505 -> MY.NET.1.122:80 SYN ******S*
Jul 29 18:05:01 218.145.25.113:22496 -> MY.NET.1.14:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22529 -> MY.NET.2.20:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22519 -> MY.NET.1.206:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22523 -> MY.NET.1.245:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22516 -> MY.NET.1.181:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22531 -> MY.NET.2.27:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22524 -> MY.NET.1.250:80 SYN ******S*
Jul 29 18:05:02 218.145.25.113:22518 -> MY.NET.1.193:80 SYN ******S*
Jul 29 18:05:04 218.145.25.113:22531 -> MY.NET.2.27:80 SYN ******S*
Jul 29 18:05:05 218.145.25.113:22656 -> MY.NET.2.212:80 SYN ******S*
Jul 29 18:05:05 218.145.25.113:22660 -> MY.NET.3.12:80 SYN ******S*
Jul 29 18:05:05 218.145.25.113:22679 -> MY.NET.3.186:80 SYN ******S*
Jul 29 18:05:05 218.145.25.113:22680 -> MY.NET.3.191:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59445 -> MY.NET.1.191:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59448 -> MY.NET.1.204:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59442 -> MY.NET.1.184:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59437 -> MY.NET.1.138:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59426 -> MY.NET.1.74:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59431 -> MY.NET.1.113:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59423 -> MY.NET.1.70:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59457 -> MY.NET.2.30:80 SYN ******S*
Jul 29 18:05:04 218.145.25.109:59455 -> MY.NET.2.16:80 SYN ******S*
Jul 29 18:05:05 218.145.25.109:59547 -> MY.NET.2.144:80 SYN ******S*
Jul 29 18:05:05 218.145.25.109:59559 -> MY.NET.2.229:80 SYN ******S*
Jul 29 18:05:05 218.145.25.109:59560 -> MY.NET.2.233:80 SYN ******S*
My times are GMT -0400, so the scan started around 22:00 jul 29 GMT .
Yours were around 10:00 aug 03 GMT. MY.NET is 130.85. It seems a long
time to get from 130.85 to 130.216 if the scan just stepped up the
addresses.
On 8 Aug 2003, Russell Fulton wrote:
> Greetings All,
> This morning I noticed that snort had logged a whole lot of
> "WEB-IIS nsiislog.dll access" alerts. After several hours of
> investigation I decided that there are enough interesting and different
> things about this incident to warrant writing a summary of what
> happened.
>
> Times are UTC +1200.
>
> Distributed scan from about 40 different sources of port 80 through
> 130.216.0.0/16 -- start of scan:
>
> 07 Aug 03 22:03:18 s tcp 218.145.25.111.49665 -> 130.216.180.100.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 218.145.25.113.60146 -> 130.216.0.1.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 218.145.25.108.37612 -> 130.216.0.3.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 218.145.25.109.59601 -> 130.216.0.4.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 218.145.25.110.17088 -> 130.216.0.5.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 220.73.165.76.60348 -> 130.216.0.7.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 220.73.165.75.47408 -> 130.216.0.6.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 220.73.165.77.47175 -> 130.216.0.8.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 218.145.25.110.17089 -> 130.216.0.9.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 218.145.25.111.56043 -> 130.216.0.10.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 218.145.25.112.55521 -> 130.216.0.11.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 220.73.165.81.58763 -> 130.216.0.12.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 218.145.25.107.16084 -> 130.216.0.13.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 220.73.165.204.46764 -> 130.216.0.17.80 5 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 220.73.165.205.24843 -> 130.216.0.18.80 5 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 218.145.25.49.13725 -> 130.216.0.19.80 9 0 0 0 S_
> 07 Aug 03 22:03:48 s tcp 218.145.25.43.26870 -> 130.216.0.20.80 9 0 0 0 S_
>
>
> Note the distributed source addresses and the sequential nature of the
> scan (the records are in time order). All addresses were in
> 220.73.165.0/24 or 218.145.25.0/24 (both belong to Korea Telecom). Any
> machines that responded on port 80 were then probed for nsiss.dll:
>
> #0-(1-806765) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:25 218.145.25.110:52905 130.216.128.94:80 TCP
> #1-(1-806764) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:25 218.145.25.107:43230 130.216.128.91:80 TCP
> #2-(1-806763) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:25 220.73.165.139:7390 130.216.128.16:80 TCP
> #3-(1-806762) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:01 218.145.25.47:42492 130.216.112.111:80 TCP
> #4-(1-806761) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:00 218.145.25.46:45670 130.216.112.103:80 TCP
> #5-(1-806760) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:00 218.145.25.45:57991 130.216.112.102:80 TCP
> #6-(1-806759) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:09:00 218.145.25.44:57460 130.216.112.101:80 TCP
> #7-(1-806758) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 218.145.25.107:39145 130.216.103.95:80 TCP
> #8-(1-806757) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 218.145.25.112:16908 130.216.103.25:80 TCP
> #9-(1-806756) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 218.145.25.111:43986 130.216.103.24:80 TCP
> #10-(1-806754) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:35 218.145.25.43:46740 130.216.98.249:80 TCP
> #11-(1-806755) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:44 220.73.165.12:41855 130.216.103.5:80 TCP
> #12-(1-806753) urlnessus[snort] WEB-IIS nsiislog.dll access 2003-08-07 22:08:31 218.145.25.110:46406 130.216.96.144:80 TCP
>
> About an hour later several machines were attacked from 62.194.21.242
> [node-c-15f2.a2000.nl] I suspect that this might be the controller but
> I'm just guessing.
>
> 08 Aug 03 00:08:44 tcp 62.194.21.242.3109 -> 130.216.1.8.80 5 10 1072 5600 SRA_SPA
> 08 Aug 03 00:08:45 tcp 62.194.21.242.3110 -> 130.216.1.8.34816 3 0 0 0 S_
> 08 Aug 03 00:09:06 tcp 62.194.21.242.3115 -> 130.216.1.22.80 8 8 5840 370 SRA_FSRPA
> 08 Aug 03 00:09:06 tcp 62.194.21.242.3116 -> 130.216.1.22.34816 3 3 0 0 S_RA
> 08 Aug 03 00:09:20 tcp 62.194.21.242.3118 -> 130.216.1.25.80 6 7 4380 370 SA_FSRPA
> 08 Aug 03 00:09:23 tcp 62.194.21.242.3119 -> 130.216.1.25.34816 3 3 0 0 S_RA
> 08 Aug 03 00:09:25 tcp 62.194.21.242.3120 -> 130.216.1.27.80 5 6 4380 370 SA_FSRPA
> 08 Aug 03 00:09:26 tcp 62.194.21.242.3121 -> 130.216.1.27.34816 3 3 0 0 S_RA
> 08 Aug 03 00:09:33 tcp 62.194.21.242.3124 -> 130.216.1.202.80 9 14 2680 486 SRA_FSPA
> 08 Aug 03 00:09:33 tcp 62.194.21.242.3125 -> 130.216.1.202.34816 3 6 0 0 SRA_SRA
> 08 Aug 03 00:09:40 tcp 62.194.21.242.3126 -> 130.216.11.45.80 3 3 0 0 S_RA
> 08 Aug 03 00:09:54 tcp 62.194.21.242.3129 -> 130.216.30.1.80 6 7 1668 676 SRA_FSPA
> 08 Aug 03 00:09:56 tcp 62.194.21.242.3130 -> 130.216.30.1.34816 3 3 0 0 S_RA
> 08 Aug 03 00:10:01 tcp 62.194.21.242.3131 -> 130.216.30.31.80 8 8 2780 676 SRA_FSRPA0
>
> packet dump of exploit code:
>
> 000 : 50 4F 53 54 20 2F 73 63 72 69 70 74 73 2F 6E 73 POST /scripts/ns
> 010 : 69 69 73 6C 6F 67 2E 64 6C 6C 20 48 54 54 50 2F iislog.dll HTTP/
> 020 : 31 2E 30 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 1.0..Accept: */*
> 030 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4E 53 ..User-Agent: NS
> 040 : 50 6C 61 79 65 72 2F 34 2E 31 2E 30 2E 33 39 31 Player/4.1.0.391
> 050 : 37 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 7..Content-Type:
> 060 : 20 74 65 78 74 2F 70 6C 61 69 6E 0D 0A 43 6F 6E text/plain..Con
> 070 : 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 39 39 39 tent-Length: 999
> 080 : 36 0D 0A 50 72 61 67 6D 61 3A 20 78 43 6C 69 65 6..Pragma: xClie
> 090 : 6E 74 47 55 49 44 3D 7B 38 39 66 34 35 31 65 30 ntGUID={89f451e0
> 0a0 : 2D 61 34 39 31 2D 34 33 34 36 2D 61 64 37 38 2D -a491-4346-ad78-
> 0b0 : 34 64 35 35 61 61 63 38 39 30 34 35 7D 0D 0A 0D 4d55aac89045}...
> 0c0 : 0A 4D 58 5F 53 54 41 54 53 5F 4C 6F 67 4C 69 6E .MX_STATS_LogLin
> 0d0 : 65 3A 20 CC CC CC CC CC CC CC CC CC CC CC CC CC e: .............
> 0e0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
> 0f0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
> 100 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
> 110 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
> ..............
>
> The exploit is almost certainly
> http://www.securityfocus.com/bid/8035/exploit/
>
> This is an IIS bug that was fixed by MS03-018:
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-018.asp
>
> In the argus logs above you can see the exploit attempt followed
> immediately by a probe for the shell on port 34816.
>
> Several hours later the scan an probes were repeated, this time from a
> single machine:
>
> 08 Aug 03 09:02:28 tcp 203.253.177.80.2378 -> 130.216.0.3.80 2 0 0 0 S_
> 08 Aug 03 09:02:28 tcp 203.253.177.80.2377 -> 130.216.0.2.80 2 0 0 0 S_
> 08 Aug 03 09:02:28 tcp 203.253.177.80.2376 -> 130.216.0.1.80 1 0 0 0 S_
> 08 Aug 03 09:02:28 tcp 203.253.177.80.2379 -> 130.216.0.4.80 2 0 0 0 S_
> 08 Aug 03 09:02:28 tcp 203.253.177.80.2380 -> 130.216.0.5.80 2 0 0 0 S_
> 08 Aug 03 09:02:28 tcp 203.253.177.80.2381 -> 130.216.0.6.80 2 0 0 0 S_
> 08 Aug 03 09:02:28 tcp 203.253.177.80.2382 -> 130.216.0.7.80 2 0 0 0 S_
> 08 Aug 03 09:02:28 tcp 203.253.177.80.2383 -> 130.216.0.8.80 2 0 0 0 S_
> 08 Aug 03 09:02:28 tcp 203.253.177.80.2384 -> 130.216.0.9.80 2 0 0 0 S_
> 08 Aug 03 09:02:28 tcp 203.253.177.80.2387 -> 130.216.0.12.80 2 0 0 0 S_
> ......
>
> No, we did not get any systems compromised (I'd like to believe that
> this is because all our admins have applied MS03-018, but I guess I'd be
> deluding myself ;)
>
> --
> Russell Fulton, Network Security Officer, The University of Auckland,
> New Zealand.
>
------------------------------------------------------------------------------
** Andy Johnston (andyat_private) * pager: 410-678-8949 **
** Manager of IT Security * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC * 4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f) * 46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 14:38:15 PDT