Re: TFTP Scanner recommendation requested

From: Harlan Carvey (keydet89at_private)
Date: Mon Aug 18 2003 - 13:20:46 PDT

Next message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"

Previous message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
In reply to: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Next in thread: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Reply: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Barry,

> >Actually, the worm does NOT "open up that port". 
> >Instead, it launches the TFTP client on the system
> (not
> >unlike the Unicode exploit against IIS servers). 
> In
> >doing so, it attempts to connect to a TFTP server,
> but
> >it does not "open up that port". 
> 
> The distinction is noted - sorry for the misuse of
> the term. :)

No problem.  Understanding the issue and using the
right terminology cuts down (but does not prevent) the
wide-spread misinformation that tends to clog the
lists and inundate the poor helpdesk.

> >How have you verified this?  Some clarification
> >regarding how you were able to verify that this is
> an
> >automated backdoor scan would be very instructive
> for
> >the group.
>
> Ok - the scan was in context of generic tftp get's
> for /etc/passwd along 
> with scans for Trinoo, BackOrifice, and
> portal-of-doom.  No backdoors 
> were found and the scan was patterned and sequential
> down the IP range.  
> Classic scan pattern.  Not one we get often, but
> still clearly a scan.

Good to hear.  Sometime folks post to the lists saying
they "verified" that it was a scan, or a particular
tool, or whatever...and there's never any clarifying
information.  I think many of the readers who aren't
as familiar with the particular situation would
benefit from this...and by sharing info, we all
benefit.
 
> Dealing primarily with a heterogenous architecture,
> Windows NT/2000, 
> Unix (multiple varieties), and GNU/Linux.  That's
> really the problem - I 
> can't really search the boxes in all cases - I
> really have to pen-test 
> for determination.  I'll look into those utilities
> for scanning for 
> processes.  That was helpful.  Thanks.

It'll be tougher on *nix boxen, but you can set
something up via SSH, most likely.  If you have a
domain admin account, scanning the Windows boxen would
be fairly, even to script.

Harlan


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Previous message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
In reply to: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Next in thread: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Reply: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 13:38:45 PDT