spoolss overflow attempt: unknow threat or false alert ?


Hello

I see many packets coming from various hosts to few servers (both
clients and servers are inside Intranet) that are identified by SNORT as
NETBIOS SMB spoolss AddPrinterEx unicode little endian overflow attempt.
I checked source hosts with AV and spyware software but found nothing,
while these packets continue to flow persistently in large amounts. Is
it some false positive by SNORT or is it an unknown security threat
(trojan/worm/virus) behind this activity? Is this packet really complies
signature of real hacking attempt? Can somebody tell me what real threat
is in typical packet, if any? What can be real risk behind these
packages ?

Typical packet payload look following:

000 : 00 00 02 52 FF 53 4D 42 25 00 00 00 00 18 03 80 ...R.SMB%.......
010 : D1 80 00 00 00 00 00 00 00 00 00 00 01 00 00 98 ................
020 : 64 00 C0 00 10 00 00 FE 01 00 00 00 04 00 00 00 d...............
030 : 00 00 00 00 00 00 00 00 00 54 00 FE 01 54 00 02 .........T...T..
040 : 00 26 00 61 73 0F 02 5C 5C 00 50 00 49 00 50 00 .&.as..\\.P.I.P.
050 : 45 00 5C 00 00 00 00 5C 05 00 00 03 10 00 00 00 E.\....\........
060 : FE 01 00 00 01 00 00 00 E6 01 00 00 00 00 46 00 ..............F.
070 : 98 FE 2D 03 0A 00 00 00 00 00 00 00 0A 00 00 00 ..-.............
080 : 5C 00 5C 00 46 00 46 00 41 00 42 00 53 00 4D 00 \.\.F.F.A.B.S.M.
090 : 42 00 00 00 01 00 00 00 01 00 00 00 50 FE 2D 03 B...........P.-.
0a0 : 18 08 00 00 E4 F5 2D 03 24 FC 2D 03 58 F1 CA 02 ......-.$.-.X...
0b0 : 51 00 00 00 00 00 00 00 51 00 00 00 5C 00 5C 00 Q.......Q...\.\.
0c0 : 4F 00 4E 00 59 00 58 00 5C 00 77 00 66 00 72 00 O.N.Y.X.\.w.f.r.
0d0 : 73 00 74 00 6B 00 31 00 2C 00 48 00 50 00 20 00 s.t.k.1.,.H.P. .
0e0 : 4C 00 61 00 73 00 65 00 72 00 4A 00 65 00 74 00 L.a.s.e.r.J.e.t.
0f0 : 20 00 34 00 30 00 35 00 30 00 20 00 53 00 65 00 .4.0.5.0. .S.e.
100 : 72 00 69 00 65 00 73 00 20 00 50 00 53 00 2C 00 r.i.e.s. .P.S.,.
110 : 42 00 6C 00 64 00 67 00 2E 00 20 00 33 00 20 00 B.l.d.g... .3. .
120 : 53 00 2E 00 20 00 50 00 72 00 6F 00 62 00 65 00 S... .P.r.o.b.e.
130 : 20 00 6E 00 65 00 78 00 74 00 20 00 74 00 6F 00 .n.e.x.t. .t.o.
140 : 20 00 74 00 68 00 65 00 20 00 4F 00 6C 00 69 00 .t.h.e. .O.l.i.
150 : 20 00 49 00 6E 00 6B 00 65 00 72 00 00 00 72 00 .I.n.k.e.r...r.
160 : 0F 00 00 00 00 00 00 00 0F 00 00 00 5C 00 5C 00 ............\.\.
170 : 4F 00 4E 00 59 00 58 00 5C 00 77 00 66 00 72 00 O.N.Y.X.\.w.f.r.
180 : 73 00 74 00 6B 00 31 00 00 00 31 00 2D 00 00 00 s.t.k.1...1.-...
190 : 00 00 00 00 2D 00 00 00 48 00 50 00 20 00 4C 00 ....-...H.P. .L.
1a0 : 4A 00 34 00 30 00 35 00 30 00 20 00 2D 00 20 00 J.4.0.5.0. .-. .
1b0 : 32 00 34 00 4D 00 62 00 20 00 72 00 61 00 6D 00 2.4.M.b. .r.a.m.
1c0 : 20 00 2D 00 20 00 41 00 6C 00 73 00 6F 00 20 00 .-. .A.l.s.o. .
1d0 : 61 00 20 00 44 00 41 00 5A 00 45 00 4C 00 20 00 a. .D.A.Z.E.L. .
1e0 : 2D 00 20 00 4E 00 54 00 53 00 4E 00 35 00 41 00 -. .N.T.S.N.5.A.
1f0 : 00 00 41 00 00 00 00 00 00 00 00 00 00 00 00 00 ..A.............
200 : 00 00 00 00 01 00 00 00 01 00 00 00 1C F5 2D 03 ..............-.
210 : 1C 00 00 00 70 03 C7 02 10 F3 2D 03 65 05 00 00 ....p.....-.e...
220 : 02 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 ................
230 : 00 00 00 00 07 00 00 00 5C 00 5C 00 4F 00 4E 00 ........\.\.O.N.
240 : 59 00 58 00 00 00 58 00 01 00 00 00 00 00 00 00 Y.X...X.........
250 : 01 00 00 00 00 00 ......


Martynas

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: NTPD concurrent clients limit
    ... For some reason I was under the false impression that kod packet would be ... disciplined rubidium timebases for the servers. ... articles about ntp abuse like that series of cheap routers that had an ip ...
    (comp.protocols.time.ntp)
  • Re: [Full-Disclosure] DHCP Flood on inside network. STP the problem?
    ... I was able to figure out what was going on when I noticed that instead of a DHCP packet like I was seeing before, tcpdump captured a netbios browser packet from ... Nothing has changed in the switches in 3 months, so a switch could be one failing, a computer sending out weird packet screwing up STP, or a virus doing the ... I can't find any virus that messes with STP and I don't think any of the servers got rooted since no servers can be access from the outside and the firewall is closed ...
    (Full-Disclosure)
  • [Full-disclosure] Re: recursive DNS servers DDoS as a growing DDoS problem
    ... I cannot see any actual amplification... ... We discussed recursive DNS servers before (servers which allow to query ... The server receives a large packet, breaks it down to several fragments ... Now amplify the effect by the recursive servers ...
    (Full-Disclosure)
  • Re: recursive DNS servers DDoS as a growing DDoS problem
    ... We discussed recursive DNS servers before (servers which allow to query ... Introduce an amplification effect. ... The server receives a large packet, breaks it down to several fragments ... Now amplify the effect by the recursive servers ...
    (Bugtraq)
  • Re: [fw-wiz] Question about a Cisco PIX 515 - Routing question (I think)
    ... The PIX accepts the ... packet from the Internet, changes the addressing to map the ... It may be easier to get the servers ...
    (Firewall-Wizards)