RPC WinNuke

Unanswered Question
Dec 22nd, 2008
User Badges:

Today we have been getting numerous RPC WinNuke id=3345 version=S226 type=other created=20050318 alerts. The "attacker" has a private from a remote branch, going through LAN-LAN tunnel to the IPS to the active directory server, port 135. Is the attack designed to enter port 135 and create a DOS? Any suggestions how to respond to the above?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
John Blakley Tue, 12/23/2008 - 06:40
User Badges:
  • Purple, 4500 points or more

My first thought is you need to find out which host it is. If you don't have authority to contact that person directly, I would find out their supervisor. They may have a virus on the machine, and may not be attacking it directly. Otherwise, if it's causing an issue with your server, I would block their address on that port until you resolve the issue.


HTH,


John

saidfrh Tue, 12/23/2008 - 09:05
User Badges:

John,


The following is glance of the alerts.

RPC WinNuke

marsCategory: DoS/Host

attacker:

addr: 10.x.5.3 locality=OUT

port: 4188

target:

addr: 192.168.yy.5 locality=OUT

port: 135


RPC WinNuke

DoS/Host

attacker:

addr: 10.x.5.3 locality=OUT

port: 4240

target:

addr: 192.168.yy.5 locality=OUT

port: 135


Invalid Netbios Name id=3357 version=S256

Non A-Z character

marsCategory: Info/Misc

attacker:

addr: 10.x.5.2 locality=OUT

port: 137

target:

addr: 192.168.yy.5 locality=OUT

port: 137


Invalid Netbios Name id=3357 version=S256

Non A-Z character

marsCategory: Info/Misc

attacker:

addr: 10.x.5.3 locality=OUT

port: 137

target:

addr: 192.168.yy.6 locality=OUT

port: 137


RPC WinNuke

DoS/Host

attacker:

addr: 10.x.5.3 locality=OUT

port: 4406

target:

addr: 192.168.yy.5 locality=OUT

port: 135


Invalid Netbios Name id=3357 version=S256 Non A-Z character

marsCategory: Info/Misc

attacker:

addr: 10.x.5.2 locality=OUT

port: 137

target:

addr: 192.168.yy.5 locality=OUT

port: 137


Invalid Netbios Name id=3357 version=S256

Non A-Z character

marsCategory: Info/Misc

attacker:

addr: 10.x.5.2 locality=OUT

port: 0

target:

addr: 0.0.0.0 locality=OUT

port: 0


RPC WinNuke

marsCategory: DoS/Host

attacker:

addr: 10.xx.55.5 locality=OUT

port: 1080

target:

addr: 192.168.yy.4 locality=OUT

port: 135


RPC WinNuke

marsCategory: DoS/Host...

attacker:

addr: 10.xx.55.5 locality=OUT

port: 1104

target:

addr: 192.168.yy.5 locality=OUT

port: 135

John Blakley Tue, 12/23/2008 - 09:10
User Badges:
  • Purple, 4500 points or more

You could put a sniffer on your server and see what else is going on. I don't know what else to tell you other than to find the computer(s) that's sending this, and make sure that they don't have any viruses, malware, and are up-to-date on all of their patches.


HTH,


John

scothrel Tue, 12/23/2008 - 09:47
User Badges:
  • Cisco Employee,

My $.02 worth...you need to find this user and shut them down. The 3357 alert is potentially more serious as it is indicative of an old (circa 2005) WINS buffer overflow attack.

That vulnerability should be patched by now, but the fact that there are non-printables in the exchange is suspicious. You always have the fallback of opening a TAC case to request a False Positive determination along the lines of "Given the age of the covered vulnerability, the alarm is suspected to be a FP". The signature team will request a pcap capture of the suspect data, just so you know. They won't be able to do anything without it (in case your company policy does not allow for sending data to Cisco).

scothrel Tue, 12/23/2008 - 09:59
User Badges:
  • Cisco Employee,

Also, I noted that your alarm dump showed two 10. sources attacking a single 192. victim, so consider that your remote site probably has a larger problem than just a single box.


Hope this doesn't ruin your holidays...

SC

jnommensen Tue, 12/23/2008 - 11:43
User Badges:

I've seen this signature repeatedly fire falsely before. This signature is looking for a specific regex string and if it finds it, it is going to trigger. The string in my case was represented by a DCERPC Bind request with version = 5, minor version = 0, and packet flags set to 0x03 or last and first frag flags are the only ones set. TCP PSH flag also has to be set to meet this condition (and dest port 135), obviously. But definitely enable "log pair" for this signature and get some captures of the traffic then go from there.

scothrel Tue, 12/23/2008 - 13:13
User Badges:
  • Cisco Employee,

That is interesting. I'll pass it on to the signature team.


SC

saidfrh Tue, 12/23/2008 - 13:26
User Badges:

The following are samples of the IPS alerts.

evIdsAlert: eventId=1229364010346913710 vendor=Cisco severity=high

originator:

hostId: IPS

appName: sensorApp

appInstanceId: 407

time: Dec 22, 2008 19:23:20 UTC offset=0 timeZone=-8

signature: description=RPC WinNuke id=3345 version=S226 type=other created=20050318

subsigId: 0

sigDetails: RPC WinNuke

marsCategory: DoS/Host

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 10.5..3 locality=OUT

port: 4188

target:

addr: 192.168..5 locality=OUT

port: 135

os: idSource=learned type=windows-nt-2k-xp relevance=relevant

alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ;

riskRatingValue: 70 targetValueRating=medium attackRelevanceRating=relevant

threatRatingValue: 70

interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1

protocol: tcp


evIdsAlert: eventId=1229364010346920068 vendor=Cisco severity=medium

originator:

hostId: IPS

appName: sensorApp

appInstanceId: 407

time: Dec 22, 2008 21:14:25 UTC offset=0 timeZone=-8

signature: description=Invalid Netbios Name id=3357 version=S256 type=other created=20050629

subsigId: 0

sigDetails: Non A-Z character

marsCategory: Info/Misc

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 10.5..3 locality=OUT

port: 137

target:

addr: 192.168..6 locality=OUT

port: 137

os: idSource=learned type=windows-nt-2k-xp relevance=relevant

alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ;

riskRatingValue: 66 targetValueRating=medium attackRelevanceRating=relevant

threatRatingValue: 66

interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1

protocol: udp

Actions

This Discussion