TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

311

312

313

314

315

316

317

318

319

320

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

318

Signature ID: 3177

Microsoft IIS BACKDOOR sensepost.exe command shell Vulnerability

Threat Level: Warning

Industry ID: CVE-2000-0884 Bugtraq: 1806 Nessus: 11003

Signature Description: Microsoft IIS 4.0 and 5.0 are vulnerable to double dot "../" directory traversal exploitation if

extended UNICODE character representations are used in substitution for "/" and "\". Intruders can traverse to an

unauthorized root directory or execute malicious commands via sensepost.exe. Once an attacker gains access to an IIS

server, they may copy cmd.exe to sensepost.exe and then use it to execute commands. Successfully exploitation can

access the target machine by sending HTTP GET requests, and also allow execution of malicious commands using the

privileges of the IIS user.

Signature ID: 3180

BackDoor Acid Battery

Threat Level: Information

Signature Description: BackDoor Acid Battery is a Trojan that opens up a backdoor program that, once installed on a

system, permits unauthorized users to remotely alter the user interface, manage files, take screenshots, etc. Acid Battery

typically runs over port 32418 via TCP

Signature ID: 3181

Alvgus BackDoor detection

Threat Level: Severe

Signature Description: A backdoor is a method of bypassing normal authentication, securing remote access to a

computer, obtaining access to plaintext, etc. while attempting to remain undetected. Alvgus, also known as

Backdoor.Alvgus.a or Trojan.PSW.TFC, is a backdoor Trojan affecting Microsoft Windows family of operating

systems. Alvgus uses a client-server relationship, where the server component is installed in the victim's system and the

remote attacker has control of the client. The server attempts to open a port, typically TCP or UDP port 27184, to allow

the client system to connect. Alvgus backdoor permits unauthorized users to remotely perform a variety of operations

such as : changing the registry, executing commands, starting services, listing files, and uploading or downloading

files.

Signature ID: 3182

BackDoor CGI Bionet 0.84

Threat Level: Severe

Signature Description: Backdoor CGi BioNet 0.84 is a Trojan that opens up a backdoor program that, once installed on

a system, permits unauthorized users to remotely perform a variety of operations, such as record passwords, manipulate

files on victim's computer, change the date or time, play sounds, change screen colors and resolution.

Signature ID: 3183

BackDoor Chupacabra

Threat Level: Severe

Signature Description: Chupacabra is a backdoor written in Visual Basic. It infects vulnerable Microsoft Windows

operating systems. During installation, Chupacabra copies itself to the winprot.exe file in the Windows System

directory, and modifies the registry to ensure that it is executed whenever Windows starts. Once installed, the

Chupacabra server could enable remote attackers to perform deletion of a file, disable or enable CTRL-ALT-DEL,

format the computer, get ICQ user information, get the local time, hide or show the task bar, send a message, start the

screensaver. By default, the Chupacabra server listens on Transmission Control Protocol (TCP) port 13473 for an

incoming connection.