From: Harlan Carvey (keydet89@yahoo.com)
Date: Mon Aug 18 2003 - 16:20:46 EDT
Barry,
> >Actually, the worm does NOT "open up that port".
> >Instead, it launches the TFTP client on the system
> (not
> >unlike the Unicode exploit against IIS servers).
> In
> >doing so, it attempts to connect to a TFTP server,
> but
> >it does not "open up that port".
>
> The distinction is noted - sorry for the misuse of
> the term. :)
No problem. Understanding the issue and using the
right terminology cuts down (but does not prevent) the
wide-spread misinformation that tends to clog the
lists and inundate the poor helpdesk.
> >How have you verified this? Some clarification
> >regarding how you were able to verify that this is
> an
> >automated backdoor scan would be very instructive
> for
> >the group.
>
> Ok - the scan was in context of generic tftp get's
> for /etc/passwd along
> with scans for Trinoo, BackOrifice, and
> portal-of-doom. No backdoors
> were found and the scan was patterned and sequential
> down the IP range.
> Classic scan pattern. Not one we get often, but
> still clearly a scan.
Good to hear. Sometime folks post to the lists saying
they "verified" that it was a scan, or a particular
tool, or whatever...and there's never any clarifying
information. I think many of the readers who aren't
as familiar with the particular situation would
benefit from this...and by sharing info, we all
benefit.
> Dealing primarily with a heterogenous architecture,
> Windows NT/2000,
> Unix (multiple varieties), and GNU/Linux. That's
> really the problem - I
> can't really search the boxes in all cases - I
> really have to pen-test
> for determination. I'll look into those utilities
> for scanning for
> processes. That was helpful. Thanks.
It'll be tougher on *nix boxen, but you can set
something up via SSH, most likely. If you have a
domain admin account, scanning the Windows boxen would
be fairly, even to script.
Harlan
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT