COMMAND

    kernel

SYSTEMS AFFECTED

    WinNT

PROBLEM

    David F. Skoll  posted following.   After seeing a  lot of NetBIOS
    node-status probes in  my firewall logs,  he discovered that  many
    NT servers apparently do a reverse DNS lookup by sending a NetBIOS
    node-status query.  This is documented at:

        http://support.microsoft.com/support/kb/articles/Q154/5/53.ASP

    It seems  to me  that it's  much easier  to spoof  an answer  to a
    NetBIOS node-status  request than  to tamper  with the  actual DNS
    system.  The  Web page says  this is only  used for WINS  lookups,
    but we see a lot of  these probes coming from machines across  the
    Internet.

    Essentially, NT believes *the  system it is querying*  rather than
    a DNS  server.   It is  (presumably) easier  to take  control of a
    system you  own rather  than a  DNS server  over which  you do not
    have administrative control.

    The  people  who  helped  David  to  discover  this wish to remain
    anonymous.

SOLUTION

    Nothing yet.