[Snort-sigs] SID 1441

warchild at ...288... warchild at ...288...
Sun Apr 28 15:28:03 EDT 2002

pcap attached

alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content: "|0001|";
offset:0; depth:2; content:"nc.exe"; nocase;
classtype:successful-admin; sid:1441; rev:1;) 


Someone attempted to get a file named 'nc.exe' via tftp.

This generally means that your windows system has been compromised
(via any number of avenues) and the attacker is making an easy
backdoor for him/herself to walk back through.  Although using netcat
does not require any special privileges, such activity should always
be considered potentially hostile.

Detailed Information:
Someone tried to retrieve a netcat executable via tftp.  Netcat is the
swiss-army knife of must-have networking tools and is extremely useful
for creating backdoors, among other things.

Attack Scenarios:
After compromising your system or gaining some sort of access, an
attacker may prefer to make a backdoor so that future access is
easier.  netcat (commonly distributed as 'nc.exe') is a popular method
of doing this.  Since tftp can be executed in 'one shot, one kill'
mode, it is possible for an attacker to compromise your system and
tftp in a copy of netcat in one step.  i.e.,


Ease of Attack:
Trivial.  tftp is available on nearly all *nix and windows machines
and is extremely easy to use.  Acquisition and proper use of netcat is 
another thing.

False Positives:
Highly unlikely.

False Negatives:

Corrective Action:
Determine whether someone was tftp'ing to or from your system.
Chances are extremely good that the attacker was tftp'ing from your
system to a remote one in an attempt to get the netcat executable.
Determine if netcat is listening on a port and act accordingly.  Patch
the hole that they walked through.

warchild at ...288...

Additional References:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tftp-nc.exe.tcpdump
Type: application/octet-stream
Size: 100 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020428/9da054fb/attachment.obj>

More information about the Snort-sigs mailing list