Re: TFTP Scanner recommendation requested

From: Barry Fitzgerald (bkfsec@sdf.lonestar.org)
Date: Mon Aug 18 2003 - 15:54:18 EDT

• Next message: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
• Previous message: Alfred Huger: "New articles on SecurityFocus"
• In reply to: H Carvey: "Re: TFTP Scanner recommendation requested"
• Next in thread: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
• Reply: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Harlan,

    Comments inline:

H Carvey wrote:

>
>Okay, you got scanned. Were the datagrams dropped?
>You say that your IDS alerted you. Is the IDS outside
>the firewall? Is the firewall configured to block this
>protocol?
>
>

The datagrams were not dropped. The ports were not originally blocked
(I know... but I'm not responsible for firewalling in my org) but they
are now. The datagrams were generic gets of /etc/passwd - standard
fodder for a scan. They were varified to have not been successful
because the target hosts were personally verified to not have tftp
running by myself and the hosts were Windows 2000 boxes. No /etc/passwd
to speak of. :) So, we're not talking about an exploit here - I just
want to reduce my workload down the line.

>Actually, the worm does NOT "open up that port".
>Instead, it launches the TFTP client on the system (not
>unlike the Unicode exploit against IIS servers). In
>doing so, it attempts to connect to a TFTP server, but
>it does not "open up that port".
>
>

The distinction is noted - sorry for the misuse of the term. :)

>
>How have you verified this? Some clarification
>regarding how you were able to verify that this is an
>automated backdoor scan would be very instructive for
>the group.
>
>

Ok - the scan was in context of generic tftp get's for /etc/passwd along
with scans for Trinoo, BackOrifice, and portal-of-doom. No backdoors
were found and the scan was patterned and sequential down the IP range.
Classic scan pattern. Not one we get often, but still clearly a scan.

>
>What kind of architecture are you running? On an NT
>domain, you can do a wide variety of scans. For one,
>you can scan each system for services, to see if there
>is a TFTP server running. UDP scans are inherently
>unreliable, so check process lists for running TFTP
>servers, as well. All of this can be done from a
>central location using a Domain Admin account. Look at
>using psexec.exe from SysInternals to run fport, or
>better yet, openports.exe from DiamondCS.
>
>Hope that helps,
>
>Harlan
>
>
>

Dealing primarily with a heterogenous architecture, Windows NT/2000,
Unix (multiple varieties), and GNU/Linux. That's really the problem - I
can't really search the boxes in all cases - I really have to pen-test
for determination. I'll look into those utilities for scanning for
processes. That was helpful. Thanks.

          -Barry

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
• Previous message: Alfred Huger: "New articles on SecurityFocus"
• In reply to: H Carvey: "Re: TFTP Scanner recommendation requested"
• Next in thread: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
• Reply: Harlan Carvey: "Re: TFTP Scanner recommendation requested"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT