Hackers After Patched WINS Servers

UPDATED: They're looking for holes in the already patched vulnerability.

By  Sean Michael Kerner | Jan 5, 2005
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

UPDATED: According to the Internet Storm Center (ISC) at the SANS Institute, hackers are trying to exploit an already patched Microsoft WINS Server vulnerability.

Microsoft patched the WINS Server Vulnerability in its MS04-45 security bulletin on Dec. 14. According to the bulletin, the Name Validation Vulnerability could allow an attacker to exploit the vulnerability by constructing a malicious network packet that could potentially allow remote code execution on an affected system.

However, the ISC and others are still recording hacker probes attempting to discover unpatched systems.

The ISC noted on its site that it had seen a "marked increase" since Dec. 31 in port scans directed at WINS services (usually port 42 on tcp). The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) at Indiana University has also reported an increase in port 42 scanning since Dec. 31, with traffic exceeding 5000 packets every 15 minutes on Jan 1.

"So, if you have not patched your WINS servers in your respective companies or campuses, beware," ISC handler Scott Fendley wrote in a post. "Patching these systems is now overdue. Additionally, WINS services probably should not cross your border router. So please block these ports and keep the rif-raf out in case your local Windows Server Admins have not patched for this over the holidays."

A Microsoft spokesperson confirmed that the company is aware of the situation, though it downplayed the potential threat.

"One thing in particular is that WINS Servers are not meant to be Internet-facing, so any attack against WINS Server would be pretty limited," the spokesperson explained. "However, we're still really encouraging people to apply the update."

WINS is a network infrastructure that is often used by enterprises for name registration and name resolution. The WINS Server Vulnerability was first detected at the beginning of December. Before the patch was issued Microsoft recommended that network administrators block TCP and UDP ports 42 at the firewall or to remove WINS outright if it wasn't needed.

techjournalist@resultsoverhead.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >