From: Barry Fitzgerald (bkfsec@sdf.lonestar.org)
Date: Mon Aug 18 2003 - 16:43:15 EDT
Harlan Carvey wrote:
>
>No problem. Understanding the issue and using the
>right terminology cuts down (but does not prevent) the
>wide-spread misinformation that tends to clog the
>lists and inundate the poor helpdesk.
>
>
Never were truer words spoken! (Being as I've both been on helpdesk and
done security work, I know EXACTLY what you mean. :) I have no excuse...)
>
>
>Good to hear. Sometime folks post to the lists saying
>they "verified" that it was a scan, or a particular
>tool, or whatever...and there's never any clarifying
>information. I think many of the readers who aren't
>as familiar with the particular situation would
>benefit from this...and by sharing info, we all
>benefit.
>
>
I more wanted to cut down on the list traffic figuring that people would
ask for specifics if they wanted them. Turns out that it worked exactly
in that way. In hindsight, I should have given more information, and
certainly - the more public education the better.
>
>It'll be tougher on *nix boxen, but you can set
>something up via SSH, most likely. If you have a
>domain admin account, scanning the Windows boxen would
>be fairly, even to script.
>
>
>
Actually, what I'm concerned with there (and likewise on the Windows
boxes) is kernel-level process hiding rootkits - somebody having started
a tftp server and then hiding it in the process list via kernel-level
"patch". So, scanning over the network would be better. But, as you so
aptly said, scanning via UDP in this way provides questionable results.
Actually, without considering the possibility of a rootkit that hides
the process, I'd consider a nice shellscript reporting tool to be fairly
simple to write ('ps ax' and comparing against a baseline, just in case
the tftp server were renamed - actually, that would serve as more than a
tftp server-finder) - in fact, simpler than on MS Windows... but
rootkits really throw a wrench into both situations. :) So, certainly,
the most optimal type of tool would be a scanner that looks for active
tftp servers over the network, focusing primarily on detecting tftp
connections via UDP for my purposes.
-Barry
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT