Re: TFTP Scanner recommendation requested

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 08/18/03

  • Next message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested" 
    Date: Mon, 18 Aug 2003 13:20:46 -0700 (PDT)
To: pen-test@securityfocus.com

    Barry,

    > >Actually, the worm does NOT "open up that port".
    > >Instead, it launches the TFTP client on the system
    > (not
    > >unlike the Unicode exploit against IIS servers).
    > In
    > >doing so, it attempts to connect to a TFTP server,
    > but
    > >it does not "open up that port".
    >
    > The distinction is noted - sorry for the misuse of
    > the term. :)

    No problem. Understanding the issue and using the
    right terminology cuts down (but does not prevent) the
    wide-spread misinformation that tends to clog the
    lists and inundate the poor helpdesk.

    > >How have you verified this? Some clarification
    > >regarding how you were able to verify that this is
    > an
    > >automated backdoor scan would be very instructive
    > for
    > >the group.
    >
    > Ok - the scan was in context of generic tftp get's
    > for /etc/passwd along
    > with scans for Trinoo, BackOrifice, and
    > portal-of-doom. No backdoors
    > were found and the scan was patterned and sequential
    > down the IP range.
    > Classic scan pattern. Not one we get often, but
    > still clearly a scan.

    Good to hear. Sometime folks post to the lists saying
    they "verified" that it was a scan, or a particular
    tool, or whatever...and there's never any clarifying
    information. I think many of the readers who aren't
    as familiar with the particular situation would
    benefit from this...and by sharing info, we all
    benefit.
     
    > Dealing primarily with a heterogenous architecture,
    > Windows NT/2000,
    > Unix (multiple varieties), and GNU/Linux. That's
    > really the problem - I
    > can't really search the boxes in all cases - I
    > really have to pen-test
    > for determination. I'll look into those utilities
    > for scanning for
    > processes. That was helpful. Thanks.

    It'll be tougher on *nix boxen, but you can set
    something up via SSH, most likely. If you have a
    domain admin account, scanning the Windows boxen would
    be fairly, even to script.

    Harlan

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Barry Fitzgerald: "Re: TFTP Scanner recommendation requested"