TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
289
MIME header, Exchange would cease to operate. Restarting the service and deleting the offending email would be
required in order to regain normal functionality. In order to determine the offending email, restart Exchange. The
hostile email would then appear at the front of the queue.
Signature ID: 2227
SMTP Malformed expn Command attempt
Threat Level: Information
Industry ID: CVE-1999-1200
Signature Description: The SMTP Servers are vulnerable to DOS attacks if a remote attacker sends a specific set of
commands to the server process to cause the system to consume all available memory and disk space and increase CPU
usage to 100%.This event is generated when an attempt is made to send a malformed request to an SMTP server which
may cause a Denial of Service. SMTP provides useful commands like EXPN. The EXPN command is used to know the
user accounts on the SMTP Server. Attacker uses this command to know the user accounts or to lead DoS by sending
specially crafted EXPN Command to the SMTP server. Attacker first telnet to the SMTP server and then issues MAIL
FROM and RCPT TO Commands, after that he sends EXPN Command followed with *@ , this command leads SMTP
Server to DoS. Vixar MailServer for Windows is vulnerable to this attack. It is recommended that if EXPN Service is
not needed then disable the EXPN command on the SMTP server.
Signature ID: 2228
SMTP Cybercop attempt with EXPN service
Threat Level: Information
Industry ID: CVE-1999-0531 Nessus: 10249
Signature Description: Cybercop Scanner is scanning software that searches for system vulnerabilities. It sends an expn
command to SMTP server ports to determine the SMTP server will return a list of email addresses, aliases, and
distribution lists. If SMTP Server response for the EXPN Request, attacker knows the sensitive information on the
SMTP server. If EXPN service is not needed, it is recommended that to disable the EXPN service on the SMTP server.
Signature ID: 2229
Majordomo lists Command Execution Vulnerability
Threat Level: Information
Industry ID: CVE-1999-0208 CVE-1999-0207 Bugtraq: 2310,1749
Signature Description: Majordomo is a perl-based Internet e-mail list server. Great Circle Associates Majordomo 1.90
and Great Circle Associates Majordomo 1.89 are vulnerable to an attack when specially crafted e-mail headers are
incorrectly processing. This is possible only when "advertise" or "no advertise" directives are specified in the
configuration files. A successful exploitation of this attack will allow an attacker to execute arbitrary commands with
user privileges. This rule will triggers when an attempt is made to exploit this vulnerability. Upgrade latest versions
available from vendors web site.
Signature ID: 2230
SMTP rcpt to command attempt
Threat Level: Information
Industry ID: CVE-1999-0095 Bugtraq: 1
Signature Description: A vulnerability exists in older versions of Sendmail associated with the debug mode.
Malformed text specifying the recipient could be a command that would execute at the privilege level of Sendmail,
often times root. The "sed" command is used to strip off the mail headers before executing the supplied command. This
vulnerability was exploited by the Morris worm. Sendmail versions prior to 5.5.9 are vulnerable to this attack.