TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
301
Signature ID: 3062
VNC Through HTTP Traffic Detected
Threat Level: Warning
Nessus: 10758
Signature Description: VNC (Virtual Network Computing) software makes it possible to view and fully-interact with
one computer from any other computer or mobile device anywhere on the Internet. VNC software is cross-platform,
allowing remote control between different types of computer. For ultimate simplicity, there is even a Java viewer, so
that any desktop can be controlled remotely from within a browser without having to install software. Using this, VNC
permits a console to be displayed remotely.
Signature ID: 3063
VNC HTTP Traffic with vncviewer.class Detected
Threat Level: Warning
Nessus: 10758
Signature Description: VNC (Virtual Network Computing) software makes it possible to view and fully-interact with
one computer from any other computer or mobile device anywhere on the Internet. VNC software is cross-platform,
allowing remote control between different types of computer. For ultimate simplicity, there is even a Java viewer, so
that any desktop can be controlled remotely from within a browser without having to install software. Using this, VNC
permits a console to be displayed remotely.Tthis signature detects the vncviewer class access.
Signature ID: 3065
Request to Trin00 for Windows server
Threat Level: Severe
Industry ID: CVE-2000-0138 CVE-1999-0660 Nessus:
10307,10024,10152,10151,10409,10053,10270,10501,10288,10350,10920,10921,10501
Signature Description: Trinoo daemons were originally found in binary form on a number of Solaris 2.x systems,
which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd",
"cmsd" and "ttdbserverd". It is an UDP based, access-restricted remote command shells, used in conjunction with
sniffers to automate recovering sniffer logs. This signature detects Trin00 server requests.
Signature ID: 3066
Backdoor WinSATAN server Login using "uyhw6377w"
Threat Level: Warning
Nessus: 10316
Signature Description: The WinSATAN trojan claims to be a security application called WinSATAN. However, none
of the software's three functions works properly. The Trojan is written in Delphi and has a hard coded list of IRC
Servers. The Trojan runs on start up and tries to connect to the IRC servers every few seconds until successful. The
connection remains even when the program is closed and this activity cannot be detected using Task Manager or by
seeing applications on the task bar. This trojan affects only Windows 3.x and Windows 9X. This signature detects use
of a hard coded user name in the trojan.
Signature ID: 3067
Backdoor WinSATAN server Login
Threat Level: Warning
Nessus: 10316
Signature Description: The WinSATAN trojan claims to be a security application called WinSATAN. However, none
of the software's three functions works properly. The Trojan is written in Delphi and has a hard coded list of IRC
Servers. The Trojan runs on start up and tries to connect to the IRC servers every few seconds until successful. The
connection remains even when the program is closed and this activity cannot be detected using Task Manager or by