[Snort-sigs] SID 1443

warchild at ...288... warchild at ...288...
Sun Apr 28 14:44:01 EDT 2002

pcap attached



alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|";
offset:0; depth:2; content:"passwd"; nocase;
classtype:successful-admin; sid:1443; rev:1;) 


Someone attempted to get a file named 'passwd' via tftp.

This could mean one of two things.  First, it could mean that
someone was tftp'ing into your machine and tried to get a file with
'passwd' in it's name.  Secondly, it could mean someone was tftp'ing
from your system and tried to get a file with 'passwd' in it's name.
If this file is really _the_ passwd file, then your machine was
possibly compromised and the attacker is attempting to upload a new
passwd file or tftp'd your passwd file offsite for analysis and/or

Detailed Information:
Tftp is the ugly duckling of the ftp family.  Its command set is
limited and it runs over udp.  Its uses are limited but a
misconfigured tftp server can leave gaping holes in one's system.

Attack Scenarios:
As part of malicious recon, an attacker may try to use the tftp
service that your machine is providing to retrieve the passwd file.
Alternatively, a local user (invited or not) may try to tftp to a
remote machine and get a file named 'passwd'.  This is generally
indicative of hostile activity -- replacing your passwd file, cracking
others, etc.

Ease of Attack:
Trivial.  tftp is available on nearly all *nix and windows machines
and is extremely easy to use.

False Positives:
Possible.  Tftp is commonly used to manage configs for printers and
some networking equipment.  It is unlikely that the files being
transfered from these devices contains 'passwd', but it is entirely

False Negatives:

Corrective Action:
Determine whether someone was tftp'ing to or from your system.  If the
former, determine where the file came from and where it went to.  Was
it your passwd file?  If the later, determine where the file came from
and where it was deposited locally.  Did they replace your passwd 

warchild at ...288...

Additional References:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: tftp-passwd.tcpdump
Type: application/octet-stream
Size: 100 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020428/6008ccd3/attachment.obj>

More information about the Snort-sigs mailing list