[Snort-sigs] SID 335

Wed Jan 8 14:23:05 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts";
flow:to_server,established; content:".rhosts";
reference:arachnids,328; classtype:suspicious-filename-detect;
sid:335; rev:4;)

--
Sid: 335

-- 
Summary: An attempt to copy a specific file to an FTP server.

-- 

Impact: attacker might gain an ability to remotely connect to a server
via r-commands with no password required.

--
Detailed Information:

The attack is an attempt to copy an ".rhosts" file to a server. An
".rhosts" (and the equivalent "hosts.equiv" not tracked by the current
signature) file is used to configure remote access via r-commands
(rlogin, rsh, rcp, rexec). Specifically, the file might contain IP
addresses (hostnames) or usernames that are allowed to connect to a
server in the following format: "hostname [username]", where either
can be a "+", indicating all hostnames or usernames. The file might
also contain a string "+ +" that indicates that everybody from any IP
address is allowed to connect to server with no password. The file is
located in user's home directory.

--

Attack Scenarios: an attacker uploads a ".hosts" file with "+ +" in it
in the user's directory on the machine. Then he is able to connect to
a host via "rlogin" command without enetering a password, resulting in
a shell session.

-- 

Ease of Attack: The attack requires an access to any user's home
directory via FTP. That means that anonymous FTP access cannot be used
for such attack and a valid username and password is
required. Additionally, an ability to upload files via FTP is required
for a successful attack.

-- 

False Positives: if the string ".rhosts" is contained within the
filename that is being uploaded to a server or within other FTP client
response, the signature will trigger.

--
False Negatives: not known

-- 

Corrective Action: locate the uploaded ".rhosts" file and check it for
signs of suspicious parameters. Look for other suspicious events that
might have occurred within the same FTP session

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://www.whitehats.com/info/IDS32