[Snort-sigs] SID 356

Anton Chuvakin anton at ...1177...
Thu Jan 9 08:32:27 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $


alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval
attempt"; flow:to_server,established; content:"RETR"; nocase;
content:"passwd"; reference:arachnids,213;
classtype:suspicious-filename-detect; sid:356; rev:4;)

Sid: 356


Summary: An attempt to retrieve a specific file from an FTP server.


Impact: attacker might gain knowledge of valid user names and/or
encrypted passwords from the server.

Detailed Information:

The attack is an attempt to download a copy of a "passwd" file from
the server. The UNIX "passwd" file (typically located in "/etc"
directory) is used to hold the authentication information for system
logins. The file need to be readable to all system users. In case
shadow passwords are used, the actual encrypted passwords are stored
in a separate file, only readable by root. It is often possible to use
various password cracking tools to get the unencrypted passwords
either by trying random character combinations, a predefined word list
or a combination of public user information.


Attack Scenarios: an attacker downloads a "passwd" file from a machine
without shadowed password and uses the John-the-Ripper tool to crack
the passwords for several accounts. He then proceeds to login to the
system remotely and possibly gains shell access on the system.


Ease of Attack: The attack usually requires an FTP access to the /etc
directory. Also, in the rare circumstances the system admin might have
accidentally left a copy of a "passwd" file in a directory accessible
for anonymous or other FTP users, which presents a high risk and
simplifies the attack.


False Positives: if the string "passwd" is contained within the
otherwise innocuous filename that is being retrieved from a server,
the signature will trigger. Also, anonymous FTP account often has a
separate password file within the chrooted anonymous FTP directory
(e.g. /var/ftp/etc/passwd). Such file usually does not contain valid
system usernames and passwords. While technically not a false
positive, this often presents a case of a false alarm.


False Negatives: not known.


Corrective Action: identify the downloaded file and confirm that it
indeed a valid system password file. Change the user passwords on the
system and notify the users.

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:


More information about the Snort-sigs mailing list