[Snort-sigs] SID 1442

warchild at ...288... warchild at ...288...
Sun Apr 28 14:32:02 EDT 2002


pcap attached

#####

--
Rule:
alert udp any any -> any 69 (msg:"TFTP GET shadow"; content: "|0001|";
offset:0; depth:2; content:"shadow"; nocase;
classtype:successful-admin; sid:1442; rev:1;)

--
Sid:
1442

--
Summary:
Someone attempted to get a file named 'shadow' via tftp.

--
Impact:
This could mean one of two things.  First, it could mean that
someone was tftp'ing into your machine and tried to get a file with
'shadow' in it's name.  Secondly, it could mean someone was tftp'ing
from your system and tried to get a file with 'shadow' in it's name.
If this file is really _the_ shadow file, then your machine was
possibly compromised and the attacker is attempting to upload a new
shadow file or tftp'd your shadow file offsite for cracking.

--
Detailed Information:
Tftp is the ugly duckling of the ftp family.  Its command set is
limited and it runs over udp.  Its uses are limited but a
misconfigured tftp server can leave gaping holes in one's system.

--
Attack Scenarios:
As part of malicious recon, an attacker may try to use the tftp
service that your machine is providing to retrieve the shadow file.
Alternatively, a local user (invited or not) may try to tftp to a
remote machine and get a file named 'shadow'.  This is generally
indicative of hostile activity -- replacing your shadow file, cracking
others, etc.

--
Ease of Attack:
Trivial.  tftp is available on nearly all *nix and windows machines
and is extremely easy to use.

--
False Positives:
Possible.  Tftp is commonly used to manage configs for printers and
some networking equipment.  It is unlikely that the files being
transfered from these devices contains 'shadow', but it is entirely
possible. 

--
False Negatives:
None.

--
Corrective Action:
Determine whether someone was tftp'ing to or from your system.  If the
former, determine where the file came from and where it went to.  Was
it your shadow file?  If the later, determine where the file came from
and where it was deposited locally.  Did they replace your shadow
file?

--
Contributors:
warchild at ...288...

-- 
Additional References:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tftp-shadow.tcpdump
Type: application/octet-stream
Size: 100 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020428/1b1b1519/attachment.obj>


More information about the Snort-sigs mailing list