Re: [Snort-users] Repeated NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt
This is a discussion on Re: [Snort-users] Repeated NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt within the Snort forums, part of the System Security and Security Related category; I'm getting that too. Investigating... Any news, please let me know. Rgds, Jose Costa --- Andrea Venturoli <ml@netfence....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-30-2004
|
|||
|
|||
Re: [Snort-users] Repeated NETBIOS SMB DCERPC NTLMSSP asn1 overflow attempt
I'm getting that too.
Investigating... Any news, please let me know. Rgds, Jose Costa --- Andrea Venturoli <ml@netfence.it> escreveu: > Hello. > On a network I manage I'm getting a lot of the > following messages: > > Dec 29 12:00:00 mybdc snort: [1:2382:14] NETBIOS SMB > DCERPC NTLMSSP asn1 > overflow attempt [Classification: Attempted > Administrator Privilege > Gain] [Priority: 1]: {TCP} 192.168.101.115:4269 -> > 192.168.101.4:139 > > > It started a few days ago, always from the same > client IP (Windows 2000) > to the same server IP (Samba BDC) and every 10-15 > seconds. > > Given this, I suspect some not so nice process on > the client side and, > while I believe this particular server can't be > affected by this bug, > I'd still love to stop it. > > I've captured one of such packets and here it is > below. I really lack > the knowledge to analyse it in details, but I'd be > happy if someone with > more experience can give me any suggestions. > > bye & Thanks > av. > > 11:01:00.931765 myclient.xxxxxxxx.yy.3507 > > mybdc.xxxxxxxx.yy.netbios-ssn: P [tcp sum ok] > 209:403(194) ack 95 win 65441 > >>> NBT Packet > NBT Session Packet > Flags=0x0 > Length=190 (0xbe) > > SMB PACKET: SMBsesssetupX (REQUEST) > SMB Command = 0x73 > Error class = 0x0 > Error code = 0 (0x0) > Flags1 = 0x18 > Flags2 = 0x7 > Tree ID = 0 (0x0) > Proc ID = 65279 (0xfeff) > UID = 0 (0x0) > MID = 64 (0x40) > Word Count = 13 (0xd) > Com2=0x75 > Res1=0x0 > Off2=159 (0x9f) > MaxBuffer=16644 (0x4104) > MaxMpx=50 (0x32) > VcNumber=0 (0x0) > SessionKey=0x9347 > CaseInsensitivePasswordLength=24 (0x18) > CaseSensitivePasswordLength=24 (0x18) > Res=0x0 > Capabilities=0xD4 > Pass1&Pass2&Account&Domain&OS&LanMan= > [000] C3 D5 24 4D 62 0F 5B B5 8D 66 66 0D BB 17 EE > 01 > \303\325$Mb\017[\265 \215ff\015\273\027\356\001 > [010] DE 24 BA C8 36 C7 F4 1C 2D 43 CD 48 F7 3B FE > 89 > \336$\272\3106\307\364\034 -C\315H\367;\376\211 > [020] 8E BB 9D 8A 05 84 45 00 02 25 05 C7 96 1A EA > D5 > \216\273\235\212\005\204E\000 > \002%\005\307\226\032\352\325 > [030] XX XX XX XX 00 XX XX XX XX XX XX XX XX 00 57 > 69 user\000MYD > OMAIN\000Wi > [040] 6E 64 6F 77 73 20 32 30 30 30 20 32 31 39 35 > 00 ndows 20 00 2195\000 > [050] 57 69 6E 64 6F 77 73 20 32 30 30 30 20 35 2E > 30 Windows 2000 5.0 > [060] 00 00 > \000\000 > > SMB PACKET: SMBtconX (REQUEST) (CHAINED) > smbvwv[]= > Com2=0xFF > Off2=190 (0xbe) > Flags=0x8 > PassLen=1 (0x1) > Passwd&Path&Device= > PassLen=1 (0x1) > Passwd&Path&Device= > smb_bcc=20 > smb_buf[]= > [000] 00 5C 5C XX XX XX XX XX 5C 49 50 43 24 00 3F > 3F \000\\MYBDC > \IPC$\000?? > [010] 3F 3F 3F 00 > ???\000 > > > (DF) (ttl 128, id 61947, len 234) > 0x0000 4500 00ea f1fb 4000 8006 bc49 c0a8 6573 > E.....@....I..es > 0x0010 c0a8 6504 0db3 008b e351 0141 eba9 1cb4 > ..e......Q.A.... > 0x0020 5018 ffa1 8b8f 0000 0000 00be ff53 4d42 > P............SMB > 0x0030 7300 0000 0018 0748 0000 0000 0000 0000 > s......H........ > 0x0040 0000 0000 0000 fffe 0000 4000 0d75 009f > ..........@..u.. > 0x0050 0004 4132 0000 0047 9300 0018 0018 0000 > ..A2...G........ > 0x0060 0000 00d4 0000 0062 00c3 d524 4d62 0f5b > .......b...$Mb.[ > 0x0070 b58d 6666 0dbb 17ee 01de 24ba c836 c7f4 > ..ff......$..6.. > 0x0080 1c2d 43cd 48f7 3bfe 898e bb9d 8a05 8445 > .-C.H.;........E > 0x0090 0002 2505 c796 1aea d5XX XXXX XX00 XXXX > ..%......user.MY > 0x00a0 XXXX XXXX XXXX 0057 696e 646f 7773 2032 > DOMAIN.Windows.2 > 0x00b0 3030 3020 3231 3935 0057 696e 646f 7773 > 000.2195.Windows > 0x00c0 2032 3030 3020 352e 3000 0004 ff00 be00 > .2000.5.0....... > 0x00d0 0800 0100 1400 005c 5cXX XXXX XXXX 5c49 > .......\\MYBDC\I > 0x00e0 5043 2400 3f3f 3f3f 3f00 > PC$.?????. > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT > Products from real users. > Discover which products truly live up to the hype. > Start reading now. > http://productguide.itmanagersjournal.com/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or > unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > __________________________________________________ Converse com seus amigos em tempo real com o Yahoo! Messenger http://br.download.yahoo.com/messenger/ ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
