lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jasonc at science.org (Jason Coombs)
Subject: RE: SMB overflow attacks

On a related subject, I've been struggling for weeks to turn off port 445
completely. It's not happening. The port is bound by the System process on
both TCP and UDP, and System also binds to and listens on a port above 1024
for some unknown reason.

Turning off port 139 by disabling file and printer sharing and NetBIOS over
TCP/IP (NetBT) (remove Client for Microsoft Networks, turn off Lanman server
and RPC services or bind them to the loopback adapter) gets rid of port 139
bindings or forces the binding to a harmless interface -- and it appears
possible to disable SMB-based services, but so far I've found no way to stop
port 445 binding ... System binds to port 445 on all interfaces (0.0.0.0) no
matter what.

TCP/IP port filtering can be turned on to force TCP SYN ACK RESET in
response to any TCP SYN which should prevent any packets from reaching the
SMB service that the System process refuses to unbind from port 445.

Does anyone have any information about why System binds to a port above
1024, and what can be done, if anything, to force Windows 2000/XP/.NET
Server to stop binding to port 445 TCP and UDP?

Thanks.

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: KF [mailto:dotslash@...soft.com]
Sent: Monday, August 26, 2002 10:03 AM
To: vuln-dev@...urity-focus.com; incidents@...urity-focus.com;
full-disclosure@...ts.netsys.com
Subject: SMB overflow attacks


Does anyone have log entries from a confirmed attack based on the recent
SMB overflows?

http://online.securityfocus.com/bid/5556 and
http://online.securityfocus.com/advisories/4416

I have a client with some unusual log entries related to lanman and SMB
headers.... the log issues are similar to the following article:

http://support.microsoft.com/default.aspx?scid=kb;[LN];Q321733

After applying the fix mentioned in the security-focus bid the server
seemed to be happy... this makes me think the reason the server
was arrgivated is related to a DoS attack on SMB.

I just need something solid to either trace back to an attacker or a
confirmation that I was even attacked.

-KF




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ