Forum OpenACS Q&A: Strange Message: nsiislog.dll ??

Collapse
1: Strange Message: nsiislog.dll ??
Posted by Samer Abukhait on 11/10/03 08:45 PM
I am having this strange message in the log file, can any body explain??

[10/Nov/2003:20:59:35][16522.163851][-conn:portal::7] Error: GET http:///scripts/nsiislog.dll?
referred by ""
can't read "location_hostname": no such variable
    while executing
"set hostname $location_hostname"
    (procedure "util_current_location" line 42)
    invoked from within
"util_current_location"

Collapse
2: Re: Strange Message: nsiislog.dll ?? (response to 1)
Posted by Torben Brosten on 11/10/03 11:21 PM
Hi Samer AbuKhait,

Since it's in the ns log file and not the error file, it looks like an external request to your server. Searching "/scripts/nsiislog.dll" in google yields this url among others:

http://www.securityfocus.com/archive/105/340903/2003-10-09/2003-10-15/0

Collapse
3: Re: Strange Message: nsiislog.dll ?? (response to 1)
Posted by Samer Abukhait on 11/10/03 11:50 PM
this was in my server error log file.

I actually searched for the code that was servered.

found out that a request without host was servered on my server .. !!
How might this happen?


    set Host [ns_set iget [ad_conn headers] Host]
..
    # Server config location
    if { ![regexp {^([a-z]+://)?([^:]+)(:[0-9]*)?$} [ad_conn location] match location_proto location_hostname location_port] } {
        ns_log Error "util_current_location couldn't regexp '[ad_conn location]'"
    }

...

    if { [empty_string_p $Host] } {
        # No Host header, return protocol from driver, hostname from [ad_conn location], and port from driver
        set hostname $location_hostname
    }

Collapse
4: Re: Strange Message: nsiislog.dll ?? (response to 1)
Posted by Torben Brosten on 11/11/03 12:19 AM
Maybe http request via 'telnet your-host 80'?
Collapse
5: Re: Strange Message: nsiislog.dll ?? (response to 1)
Posted by Dirk Gomez on 11/11/03 12:51 AM

What could it be...IIS and dll...hint hint hint.

Google returns 3800 hits for "nsiislog.dll", amongst others http://securityresponse.symantec.com/avcenter/security/Content/8035.html - Microsoft Windows Media Services NSIISlog.DLL Remote Buffer Overflow Vulnerability

Collapse
6: and now; default.ida (response to 1)
Posted by Samer Abukhait on 01/20/04 09:04 PM
I am having another similar log entry, but now with a longer source, who is the first accused?

Should I do something about these requests or they are harmless?

[20/Jan/2004:21:02:25][7916.1015813][-conn:portal::117] Error: GET http:///default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
referred by ""
can't read "location_hostname": no such variable

Collapse
7: Re: Strange Message: nsiislog.dll ?? (response to 1)
Posted by Jon Griffin on 01/20/04 09:10 PM
MS worm, don't worry about it.