|
SNMP WINS deletion |
|
|
|
| FAQ | |||
|
|
SummaryThere was an attempt to delete WINS entries via the SNMP interface to the server. This is probably an attempt at a Denial-of-Service (DoS) or a probe by a security scanner.
Details
SNMP is a mechanism to remotely manage services. Microsoft as "instrumented" most of its services to be remotely managed via SNMP. One such services is WINS, a service that maintains a database of Windows machine names and IP addresses. Windows clients contact this service in order to find servers (and often each other).
Many systems are vulnerable to an attack whereby an SNMP command is sent to the server in order to delete entries. This doesn't break into the servers, but by deleting entries within the database, clients and servers will no longer be able to find each other.
However, this Denial-of-Service (DoS) may be a prelude to other attacks. It may be part of a broad-spectrum vulnerability scan designed to discover the weakpoints of the network. It may instead be part of another more sophisticated attack designed to disconnect the primary domain controller from the network.
Action
This may be part of a broad-spectrum attack. The data should be analyzed to associate this events with others. Be aware that this attack can be easily spoofed (like all SNMP). Like many broad-spectrum scans, it may be directed against systems that do not have SNMP or WINS running on them. It is therefore unlikely to indicate a major compromise of the network, but it is something that should be further investigated.
Also make sure that SNMP is disabled on the affected systems. This can be done by removing the SNMP service in the Networking Control Panel, or disabling the service in the Services Control Panel. Alternatively, the WINS Extension Agent can be removed or disabled.
| more information |
|
| ||||||
Version appeared: 2.5