[Snort-sigs] SID 518
warchild at ...288...
Thu Feb 7 18:25:02 EST 2002
alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Write";
content:"|00 02|"; depth:2; reference:cve,CVE-1999-0
183; reference:arachnids,148; classtype:bad-unknown; sid:518; rev:2;)
A remote machine attempted to write files to your tftp directory.
Potential abuse my "warez" sites, or malicious users looking for an
easy place to store files for later retrieval.
The trivial file transfer program (tftp) provides a crude way for
files to be up/downloaded, but without the use of authentication.
This rule will detect a tftp write command, indicating the (attempted)
upload of a file to your host.
As part of a potential attack, a potential intruder may attempt to
determine the configuration of your tftp server, or potentially use
your host as a file cache as part of a warez network, exploit
repository, or other reasons.
Ease of Attack:
Trivial. Nearly all win32 and *nix clients provide tftp clients to
Ensure that your tftp directory is not writable by anonymous users,
and if it is, ensure that you have good reason for doing so.
Additionally, determine if tftp access to this machine is indeed
necesary. Finally, determine what (if any) files were transfered.
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>
More information about the Snort-sigs