https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084176#M78059 <HTML><HEAD></HEAD><BODY><P>My first thought is you need to find out which host it is. If you don't have authority to contact that person directly, I would find out their supervisor. They may have a virus on the machine, and may not be attacking it directly. Otherwise, if it's causing an issue with your server, I would block their address on that port until you resolve the issue.</P><P></P><P>HTH,</P><P></P><P>John</P></BODY></HTML> Tue, 23 Dec 2008 14:40:54 GMT John Blakley 2008-12-23T14:40:54Z https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084175#M78057 <P>Today we have been getting numerous RPC WinNuke id=3345 version=S226 type=other created=20050318 alerts. The "attacker" has a private from a remote branch, going through LAN-LAN tunnel to the IPS to the active directory server, port 135. Is the attack designed to enter port 135 and create a DOS? Any suggestions how to respond to the above?</P> Sun, 10 Mar 2019 11:26:00 GMT https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084175#M78057 saidfrh 2019-03-10T11:26:00Z https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084176#M78059 <HTML><HEAD></HEAD><BODY><P>My first thought is you need to find out which host it is. If you don't have authority to contact that person directly, I would find out their supervisor. They may have a virus on the machine, and may not be attacking it directly. Otherwise, if it's causing an issue with your server, I would block their address on that port until you resolve the issue.</P><P></P><P>HTH,</P><P></P><P>John</P></BODY></HTML> Tue, 23 Dec 2008 14:40:54 GMT https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084176#M78059 John Blakley 2008-12-23T14:40:54Z https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084177#M78061 <HTML><HEAD></HEAD><BODY><P>John,</P><P></P><P>The following is glance of the alerts.</P><P>RPC WinNuke </P><P>marsCategory: DoS/Host </P><P>attacker: </P><P>addr: 10.x.5.3 locality=OUT </P><P>port: 4188 </P><P>target: </P><P>addr: 192.168.yy.5 locality=OUT </P><P>port: 135 </P><P></P><P>RPC WinNuke </P><P>DoS/Host </P><P>attacker: </P><P>addr: 10.x.5.3 locality=OUT </P><P>port: 4240 </P><P>target: </P><P>addr: 192.168.yy.5 locality=OUT </P><P>port: 135 </P><P></P><P>Invalid Netbios Name id=3357 version=S256 </P><P>Non A-Z character </P><P>marsCategory: Info/Misc </P><P>attacker: </P><P>addr: 10.x.5.2 locality=OUT </P><P>port: 137 </P><P>target: </P><P>addr: 192.168.yy.5 locality=OUT </P><P>port: 137 </P><P></P><P>Invalid Netbios Name id=3357 version=S256 </P><P>Non A-Z character </P><P>marsCategory: Info/Misc </P><P>attacker: </P><P>addr: 10.x.5.3 locality=OUT </P><P>port: 137 </P><P>target: </P><P>addr: 192.168.yy.6 locality=OUT </P><P>port: 137 </P><P></P><P>RPC WinNuke </P><P>DoS/Host </P><P>attacker: </P><P>addr: 10.x.5.3 locality=OUT </P><P>port: 4406 </P><P>target: </P><P>addr: 192.168.yy.5 locality=OUT </P><P>port: 135 </P><P></P><P>Invalid Netbios Name id=3357 version=S256 Non A-Z character </P><P>marsCategory: Info/Misc </P><P>attacker: </P><P>addr: 10.x.5.2 locality=OUT </P><P>port: 137 </P><P>target: </P><P>addr: 192.168.yy.5 locality=OUT </P><P>port: 137 </P><P></P><P>Invalid Netbios Name id=3357 version=S256 </P><P>Non A-Z character </P><P>marsCategory: Info/Misc </P><P>attacker: </P><P>addr: 10.x.5.2 locality=OUT </P><P>port: 0 </P><P>target: </P><P>addr: 0.0.0.0 locality=OUT </P><P>port: 0 </P><P></P><P>RPC WinNuke </P><P>marsCategory: DoS/Host </P><P>attacker: </P><P>addr: 10.xx.55.5 locality=OUT </P><P>port: 1080 </P><P>target: </P><P>addr: 192.168.yy.4 locality=OUT </P><P>port: 135 </P><P></P><P> RPC WinNuke </P><P> marsCategory: DoS/Host... </P><P> attacker: </P><P> addr: 10.xx.55.5 locality=OUT </P><P> port: 1104 </P><P> target: </P><P> addr: 192.168.yy.5 locality=OUT </P><P> port: 135 </P></BODY></HTML> Tue, 23 Dec 2008 17:05:41 GMT https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084177#M78061 saidfrh 2008-12-23T17:05:41Z https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084178#M78062 <HTML><HEAD></HEAD><BODY><P>You could put a sniffer on your server and see what else is going on. I don't know what else to tell you other than to find the computer(s) that's sending this, and make sure that they don't have any viruses, malware, and are up-to-date on all of their patches.</P><P></P><P>HTH,</P><P></P><P>John</P></BODY></HTML> Tue, 23 Dec 2008 17:10:50 GMT https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084178#M78062 John Blakley 2008-12-23T17:10:50Z https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084179#M78064 <HTML><HEAD></HEAD><BODY><P>My $.02 worth...you need to find this user and shut them down. The 3357 alert is potentially more serious as it is indicative of an old (circa 2005) WINS buffer overflow attack.</P><P>That vulnerability should be patched by now, but the fact that there are non-printables in the exchange is suspicious. You always have the fallback of opening a TAC case to request a False Positive determination along the lines of "Given the age of the covered vulnerability, the alarm is suspected to be a FP". The signature team will request a pcap capture of the suspect data, just so you know. They won't be able to do anything without it (in case your company policy does not allow for sending data to Cisco).</P></BODY></HTML> Tue, 23 Dec 2008 17:47:03 GMT https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084179#M78064 scothrel 2008-12-23T17:47:03Z https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084180#M78066 <HTML><HEAD></HEAD><BODY><P>Thanks. Will do.</P></BODY></HTML> Tue, 23 Dec 2008 17:51:52 GMT https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084180#M78066 saidfrh 2008-12-23T17:51:52Z https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084181#M78067 <HTML><HEAD></HEAD><BODY><P>Also, I noted that your alarm dump showed two 10. sources attacking a single 192. victim, so consider that your remote site probably has a larger problem than just a single box.</P><P></P><P>Hope this doesn't ruin your holidays...</P><P>SC</P></BODY></HTML> Tue, 23 Dec 2008 17:59:11 GMT https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084181#M78067 scothrel 2008-12-23T17:59:11Z https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084182#M78068 <HTML><HEAD></HEAD><BODY><P>I've seen this signature repeatedly fire falsely before. This signature is looking for a specific regex string and if it finds it, it is going to trigger. The string in my case was represented by a DCERPC Bind request with version = 5, minor version = 0, and packet flags set to 0x03 or last and first frag flags are the only ones set. TCP PSH flag also has to be set to meet this condition (and dest port 135), obviously. But definitely enable "log pair" for this signature and get some captures of the traffic then go from there.</P></BODY></HTML> Tue, 23 Dec 2008 19:43:12 GMT https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084182#M78068 jnommensen 2008-12-23T19:43:12Z https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084183#M78069 <HTML><HEAD></HEAD><BODY><P>That is interesting. I'll pass it on to the signature team.</P><P></P><P>SC</P></BODY></HTML> Tue, 23 Dec 2008 21:13:41 GMT https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084183#M78069 scothrel 2008-12-23T21:13:41Z https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084184#M78070 <HTML><HEAD></HEAD><BODY><P>The following are samples of the IPS alerts.</P><P>evIdsAlert: eventId=1229364010346913710 vendor=Cisco severity=high </P><P> originator: </P><P> hostId: IPS </P><P> appName: sensorApp </P><P> appInstanceId: 407 </P><P> time: Dec 22, 2008 19:23:20 UTC offset=0 timeZone=-8 </P><P> signature: description=RPC WinNuke id=3345 version=S226 type=other created=20050318 </P><P> subsigId: 0 </P><P> sigDetails: RPC WinNuke </P><P> marsCategory: DoS/Host </P><P> interfaceGroup: vs0 </P><P> vlan: 0 </P><P> participants: </P><P> attacker: </P><P> addr: 10.5..3 locality=OUT </P><P> port: 4188 </P><P> target: </P><P> addr: 192.168..5 locality=OUT </P><P> port: 135 </P><P> os: idSource=learned type=windows-nt-2k-xp relevance=relevant </P><P> alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ; </P><P> riskRatingValue: 70 targetValueRating=medium attackRelevanceRating=relevant </P><P> threatRatingValue: 70 </P><P> interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1 </P><P> protocol: tcp </P><P></P><P>evIdsAlert: eventId=1229364010346920068 vendor=Cisco severity=medium </P><P> originator: </P><P> hostId: IPS </P><P> appName: sensorApp </P><P> appInstanceId: 407 </P><P> time: Dec 22, 2008 21:14:25 UTC offset=0 timeZone=-8 </P><P> signature: description=Invalid Netbios Name id=3357 version=S256 type=other created=20050629 </P><P> subsigId: 0 </P><P> sigDetails: Non A-Z character </P><P> marsCategory: Info/Misc </P><P> interfaceGroup: vs0 </P><P> vlan: 0 </P><P> participants: </P><P> attacker: </P><P> addr: 10.5..3 locality=OUT </P><P> port: 137 </P><P> target: </P><P> addr: 192.168..6 locality=OUT </P><P> port: 137 </P><P> os: idSource=learned type=windows-nt-2k-xp relevance=relevant </P><P> alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ; </P><P> riskRatingValue: 66 targetValueRating=medium attackRelevanceRating=relevant </P><P> threatRatingValue: 66 </P><P> interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1 </P><P> protocol: udp </P></BODY></HTML> Tue, 23 Dec 2008 21:26:36 GMT https://community.cisco.com/t5/network-security/rpc-winnuke/m-p/1084184#M78070 saidfrh 2008-12-23T21:26:36Z