('binary' encoding is not supported, stored as-is) In-Reply-To: <3F3A895A.60600at_private> Barry, > First of all, my office just got completely pelted with a scan >looking for open udp/69 ports with tftp requests being made on each >port. Okay, you got scanned. Were the datagrams dropped? You say that your IDS alerted you. Is the IDS outside the firewall? Is the firewall configured to block this protocol? > (Our IDS alerted me to this). I know that msblast opens up that >port during the worm-infection period. Actually, the worm does NOT "open up that port". Instead, it launches the TFTP client on the system (not unlike the Unicode exploit against IIS servers). In doing so, it attempts to connect to a TFTP server, but it does not "open up that port". > So, the fact that this is >happening right now is not surprising. Is anyone else noticing this? (I >know that we aren't infected with msblast, so it's not worm traffic - >and I have verified that this is an automated backdoor scan.) > How have you verified this? Some clarification regarding how you were able to verify that this is an automated backdoor scan would be very instructive for the group. > Anyway, the reason I'm writing this to the pen-test list is for a >recommendation. I'd like to keep my eye out for open tftp servers on my >LAN just in case. Does anyone have a recommendation for a tftp scanner >that can scan a range of IPs for functioning tftp listeners? > What kind of architecture are you running? On an NT domain, you can do a wide variety of scans. For one, you can scan each system for services, to see if there is a TFTP server running. UDP scans are inherently unreliable, so check process lists for running TFTP servers, as well. All of this can be done from a central location using a Domain Admin account. Look at using psexec.exe from SysInternals to run fport, or better yet, openports.exe from DiamondCS. Hope that helps, Harlan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 10:58:34 PDT