[Dshield] RE: SMB overflow attacks

Thompson, John J ThompsonJJ at mail.medicine.uiowa.edu
Tue Aug 27 16:48:17 GMT 2002


How are you seeing this? Via netstat output? FPortNG? 

When I use either of those to view open ports, Im not seeing any port 445.
All I did was set up tcp ip filtering to allow only the ports I wanted open.
I also installed black ice. 


-----Original Message-----
From: Jason Coombs [mailto:jasonc at science.org] 
Sent: Monday, August 26, 2002 6:33 PM
To: KF; vuln-dev at security-focus.com; incidents at security-focus.com;
full-disclosure at lists.netsys.com
Subject: RE: SMB overflow attacks 

On a related subject, I've been struggling for weeks to turn off port 445
completely. It's not happening. The port is bound by the System process on
both TCP and UDP, and System also binds to and listens on a port above 1024
for some unknown reason.

Turning off port 139 by disabling file and printer sharing and NetBIOS over
TCP/IP (NetBT) (remove Client for Microsoft Networks, turn off Lanman server
and RPC services or bind them to the loopback adapter) gets rid of port 139
bindings or forces the binding to a harmless interface -- and it appears
possible to disable SMB-based services, but so far I've found no way to stop
port 445 binding ... System binds to port 445 on all interfaces (0.0.0.0) no
matter what.

TCP/IP port filtering can be turned on to force TCP SYN ACK RESET in
response to any TCP SYN which should prevent any packets from reaching the
SMB service that the System process refuses to unbind from port 445.

Does anyone have any information about why System binds to a port above
1024, and what can be done, if anything, to force Windows 2000/XP/.NET
Server to stop binding to port 445 TCP and UDP?

Thanks.

Jason Coombs
jasonc at science.org

-----Original Message-----
From: KF [mailto:dotslash at snosoft.com]
Sent: Monday, August 26, 2002 10:03 AM
To: vuln-dev at security-focus.com; incidents at security-focus.com;
full-disclosure at lists.netsys.com
Subject: SMB overflow attacks


Does anyone have log entries from a confirmed attack based on the recent
SMB overflows?

http://online.securityfocus.com/bid/5556 and
http://online.securityfocus.com/advisories/4416

I have a client with some unusual log entries related to lanman and SMB
headers.... the log issues are similar to the following article:

http://support.microsoft.com/default.aspx?scid=kb;[LN];Q321733

After applying the fix mentioned in the security-focus bid the server
seemed to be happy... this makes me think the reason the server
was arrgivated is related to a DoS attack on SMB.

I just need something solid to either trace back to an attacker or a
confirmation that I was even attacked.

-KF




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




More information about the list mailing list