TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

361

362

363

364

365

366

367

368

369

370

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

369

human-oriented status and user information. The cfinger daemon is a daemon serving the Finger protocol. This

signature detects attempt to know the version of Finger service. A Finger daemon should not advertise its version to the

world. This will provide opportunity to attackers to focus their attacks.

Signature ID: 5003

Finger Zero/Dot at host vulnerability

Threat Level: Information

Industry ID: CVE-1999-0197 CVE-1999-0198 Nessus: 10069,10072

Signature Description: There is a bug in the finger service which will make it display the list of the accounts that have

never been used, when anyone issues the request: finger 0@target or .@target. This list will help an attacker to guess

the operating system type. It will also let him know which accounts have never been used, to focus his attacks on these

accounts.

Signature ID: 5009

In.fingerd "pipe" command@target or DG/UX fingerd attack

Threat Level: Information

Industry ID: CVE-1999-0152 Bugtraq: 2220 Nessus: 10126

Signature Description: There is a bug in the remote finger service that allows anyone to execute any command as root

or to read arbitrary files, when they do requests like: finger |command_to_execute@target. e.g. finger |cat

/etc/passwd@target will display the content of /etc/passwd. Also, some versions of the DG/UX fingerd pass their input

to a shell. This makes it possible for remote attackers to execute arbitrary commands on the DG/UX system.

Signature ID: 5011

Perl finger CGI remote command execution Vulnerability

Threat Level: Warning

Industry ID: CVE-1999-0150 CVE-2000-0128 Bugtraq: 974

Signature Description: 'The Finger Server' is a perl script for providing .plan-like functionality through a website. Due

to insufficient input check on "open()" in a perl script, and allow remote unauthenticated users to execute shell

commands on the server which will run with the priveleges of the webserver. The vulnerable version is Finger Server

0.82.0BETA.This signature triggers when an attempt is made to remotely execute shell commands using the 'finger

server' Perl script running on the Web server.

Signature ID: 5015

Backdoor CDK on TCP port 79

Threat Level: Warning

Industry ID: CVE-1999-0660 Nessus:

10036,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921

Signature Description: The remote host appears to be running a CDK backdoor program that can be used to control

your system.CDK is a backdoor Trojan that infects Windows operating systems.CDK consists of a server which is

planted on the victim machine, and a client used by the attacker for remote control of the target system. When the CDK

server is running, it listens on TCP port 79 or 15858 for incoming connections. The CDK client connects to the infected

system using the login command and ypi0ca password.This rule detects an inbound connection on port 79 which

indicates the possible presence of CDK backdoor.

Signature ID: 5016

Finger backdoor Access

Threat Level: Information

Industry ID: CVE-1999-0660 Nessus:

10070,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921