| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ILEPILDHBOLAHHEIMALBEEKKDLAA.jasonc@science.org> From: jasonc at science.org (Jason Coombs) Subject: RE: SMB overflow attacks On a related subject, I've been struggling for weeks to turn off port 445 completely. It's not happening. The port is bound by the System process on both TCP and UDP, and System also binds to and listens on a port above 1024 for some unknown reason. Turning off port 139 by disabling file and printer sharing and NetBIOS over TCP/IP (NetBT) (remove Client for Microsoft Networks, turn off Lanman server and RPC services or bind them to the loopback adapter) gets rid of port 139 bindings or forces the binding to a harmless interface -- and it appears possible to disable SMB-based services, but so far I've found no way to stop port 445 binding ... System binds to port 445 on all interfaces (0.0.0.0) no matter what. TCP/IP port filtering can be turned on to force TCP SYN ACK RESET in response to any TCP SYN which should prevent any packets from reaching the SMB service that the System process refuses to unbind from port 445. Does anyone have any information about why System binds to a port above 1024, and what can be done, if anything, to force Windows 2000/XP/.NET Server to stop binding to port 445 TCP and UDP? Thanks. Jason Coombs jasonc@...ence.org -----Original Message----- From: KF [mailto:dotslash@...soft.com] Sent: Monday, August 26, 2002 10:03 AM To: vuln-dev@...urity-focus.com; incidents@...urity-focus.com; full-disclosure@...ts.netsys.com Subject: SMB overflow attacks Does anyone have log entries from a confirmed attack based on the recent SMB overflows? http://online.securityfocus.com/bid/5556 and http://online.securityfocus.com/advisories/4416 I have a client with some unusual log entries related to lanman and SMB headers.... the log issues are similar to the following article: http://support.microsoft.com/default.aspx?scid=kb;[LN];Q321733 After applying the fix mentioned in the security-focus bid the server seemed to be happy... this makes me think the reason the server was arrgivated is related to a DoS attack on SMB. I just need something solid to either trace back to an attacker or a confirmation that I was even attacked. -KF ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Powered by blists - more mailing lists