Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SCAN Amanda and port 0 traffic

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 25 Mar 2003 19:08:38 -0500
At 02:57 PM 3/25/2003 -0800, you wrote:
My understanding is that Snort caught a udp packet (containing the word amanda and I guess asking for the version of the amanda client program running) going to Amanda program running on 2.23.24.25. My understanding in the Amanda software is not good... but..why would anyone want to send a udp packet to this software package running on that host?? Do they get any info back? Does it cause any harm to the host machine? Shud I be worried about this alert? Why does it say "request" as in SCAN Amanda client version "request".
By "Request" they mean just that.. the client is expected to return what version it is in response to the command from the server. This is generally the first part of an exchange with Amanda, so you should consider this someone testing to see if you have this trojan on your system. If the client exists on your machine and then responds, the attacker can then send commands to Amanda.
Amanda, if present, gives _FULL_ control of your system to the attacker and includes a key logging package to steal passwords.
There's no evidence here that you actually have the Amanda trojan, just that someone was trying to access it on 2.23.24.25. Presumably they were probing your network for infected machines, looking to take advantage of them. It's commonplace for unskilled hackers to "joyride" by scanning networks for simple vulnerabilities or trojan horses and play with the computers they find to be vulnerable.
Second question is with regards to the tcp traffic sent to port 0. Snort catches this traffic and lists this as BAD traffic to port 0. Is it at all harmful if our host machines receive traffic to port 0? If not .. what gain does an attacker get out of this??
Using TCP port 0 is a common tactic to avoid some badly written packet filters.... Some net admins fail to realize that there is a port 0, thinking that the lowest port number is 1, and thus don't account for it when writing firewall rules.
An attacker gains the advantage of possibly bypassing firewall rules, or badly written intrusion sensors.
It should also be noted that very, very, old versions of DNS were done on port 0, but that wasn't done using TCP. 



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: