Security Basics mailing list archives
spoolss overflow attempt: unknow threat or false alert ?
From: "Buozis, Martynas" <martynas () ti com>
Date: Thu, 7 Sep 2006 20:20:33 +0200
Hello I see many packets coming from various hosts to few servers (both clients and servers are inside Intranet) that are identified by SNORT as NETBIOS SMB spoolss AddPrinterEx unicode little endian overflow attempt. I checked source hosts with AV and spyware software but found nothing, while these packets continue to flow persistently in large amounts. Is it some false positive by SNORT or is it an unknown security threat (trojan/worm/virus) behind this activity? Is this packet really complies signature of real hacking attempt? Can somebody tell me what real threat is in typical packet, if any? What can be real risk behind these packages ? Typical packet payload look following: 000 : 00 00 02 52 FF 53 4D 42 25 00 00 00 00 18 03 80 ...R.SMB%....... 010 : D1 80 00 00 00 00 00 00 00 00 00 00 01 00 00 98 ................ 020 : 64 00 C0 00 10 00 00 FE 01 00 00 00 04 00 00 00 d............... 030 : 00 00 00 00 00 00 00 00 00 54 00 FE 01 54 00 02 .........T...T.. 040 : 00 26 00 61 73 0F 02 5C 5C 00 50 00 49 00 50 00 .&.as..\\.P.I.P. 050 : 45 00 5C 00 00 00 00 5C 05 00 00 03 10 00 00 00 E.\....\........ 060 : FE 01 00 00 01 00 00 00 E6 01 00 00 00 00 46 00 ..............F. 070 : 98 FE 2D 03 0A 00 00 00 00 00 00 00 0A 00 00 00 ..-............. 080 : 5C 00 5C 00 46 00 46 00 41 00 42 00 53 00 4D 00 \.\.F.F.A.B.S.M. 090 : 42 00 00 00 01 00 00 00 01 00 00 00 50 FE 2D 03 B...........P.-. 0a0 : 18 08 00 00 E4 F5 2D 03 24 FC 2D 03 58 F1 CA 02 ......-.$.-.X... 0b0 : 51 00 00 00 00 00 00 00 51 00 00 00 5C 00 5C 00 Q.......Q...\.\. 0c0 : 4F 00 4E 00 59 00 58 00 5C 00 77 00 66 00 72 00 O.N.Y.X.\.w.f.r. 0d0 : 73 00 74 00 6B 00 31 00 2C 00 48 00 50 00 20 00 s.t.k.1.,.H.P. . 0e0 : 4C 00 61 00 73 00 65 00 72 00 4A 00 65 00 74 00 L.a.s.e.r.J.e.t. 0f0 : 20 00 34 00 30 00 35 00 30 00 20 00 53 00 65 00 .4.0.5.0. .S.e. 100 : 72 00 69 00 65 00 73 00 20 00 50 00 53 00 2C 00 r.i.e.s. .P.S.,. 110 : 42 00 6C 00 64 00 67 00 2E 00 20 00 33 00 20 00 B.l.d.g... .3. . 120 : 53 00 2E 00 20 00 50 00 72 00 6F 00 62 00 65 00 S... .P.r.o.b.e. 130 : 20 00 6E 00 65 00 78 00 74 00 20 00 74 00 6F 00 .n.e.x.t. .t.o. 140 : 20 00 74 00 68 00 65 00 20 00 4F 00 6C 00 69 00 .t.h.e. .O.l.i. 150 : 20 00 49 00 6E 00 6B 00 65 00 72 00 00 00 72 00 .I.n.k.e.r...r. 160 : 0F 00 00 00 00 00 00 00 0F 00 00 00 5C 00 5C 00 ............\.\. 170 : 4F 00 4E 00 59 00 58 00 5C 00 77 00 66 00 72 00 O.N.Y.X.\.w.f.r. 180 : 73 00 74 00 6B 00 31 00 00 00 31 00 2D 00 00 00 s.t.k.1...1.-... 190 : 00 00 00 00 2D 00 00 00 48 00 50 00 20 00 4C 00 ....-...H.P. .L. 1a0 : 4A 00 34 00 30 00 35 00 30 00 20 00 2D 00 20 00 J.4.0.5.0. .-. . 1b0 : 32 00 34 00 4D 00 62 00 20 00 72 00 61 00 6D 00 2.4.M.b. .r.a.m. 1c0 : 20 00 2D 00 20 00 41 00 6C 00 73 00 6F 00 20 00 .-. .A.l.s.o. . 1d0 : 61 00 20 00 44 00 41 00 5A 00 45 00 4C 00 20 00 a. .D.A.Z.E.L. . 1e0 : 2D 00 20 00 4E 00 54 00 53 00 4E 00 35 00 41 00 -. .N.T.S.N.5.A. 1f0 : 00 00 41 00 00 00 00 00 00 00 00 00 00 00 00 00 ..A............. 200 : 00 00 00 00 01 00 00 00 01 00 00 00 1C F5 2D 03 ..............-. 210 : 1C 00 00 00 70 03 C7 02 10 F3 2D 03 65 05 00 00 ....p.....-.e... 220 : 02 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 ................ 230 : 00 00 00 00 07 00 00 00 5C 00 5C 00 4F 00 4E 00 ........\.\.O.N. 240 : 59 00 58 00 00 00 58 00 01 00 00 00 00 00 00 00 Y.X...X......... 250 : 01 00 00 00 00 00 ...... Martynas --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- spoolss overflow attempt: unknow threat or false alert ? Buozis, Martynas (Sep 08)