Forum OpenACS Q&A: Strange Message: nsiislog.dll ??

Collapse
Posted by Samer Abukhait on
I am having this strange message in the log file, can any body explain??

[10/Nov/2003:20:59:35][16522.163851][-conn:portal::7] Error: GET http:///scripts/nsiislog.dll?
referred by ""
can't read "location_hostname": no such variable
    while executing
"set hostname $location_hostname"
    (procedure "util_current_location" line 42)
    invoked from within
"util_current_location"

Collapse
Posted by Torben Brosten on
Hi Samer AbuKhait,

Since it's in the ns log file and not the error file, it looks like an external request to your server. Searching "/scripts/nsiislog.dll" in google yields this url among others:

http://www.securityfocus.com/archive/105/340903/2003-10-09/2003-10-15/0

Collapse
Posted by Samer Abukhait on
this was in my server error log file.

I actually searched for the code that was servered.

found out that a request without host was servered on my server .. !!
How might this happen?


    set Host [ns_set iget [ad_conn headers] Host]
..
    # Server config location
    if { ![regexp {^([a-z]+://)?([^:]+)(:[0-9]*)?$} [ad_conn location] match location_proto location_hostname location_port] } {
        ns_log Error "util_current_location couldn't regexp '[ad_conn location]'"
    }

...

    if { [empty_string_p $Host] } {
        # No Host header, return protocol from driver, hostname from [ad_conn location], and port from driver
        set hostname $location_hostname
    }

Collapse
Posted by Torben Brosten on
Maybe http request via 'telnet your-host 80'?
Collapse
Posted by Dirk Gomez on

What could it be...IIS and dll...hint hint hint.

Google returns 3800 hits for "nsiislog.dll", amongst others http://securityresponse.symantec.com/avcenter/security/Content/8035.html - Microsoft Windows Media Services NSIISlog.DLL Remote Buffer Overflow Vulnerability

Collapse
6: and now; default.ida (response to 1)
Posted by Samer Abukhait on
I am having another similar log entry, but now with a longer source, who is the first accused?

Should I do something about these requests or they are harmless?

[20/Jan/2004:21:02:25][7916.1015813][-conn:portal::117] Error: GET http:///default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
referred by ""
can't read "location_hostname": no such variable

Collapse
Posted by Jon Griffin on
MS worm, don't worry about it.