TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

361

362

363

364

365

366

367

368

369

370

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

370

Signature Description: The finger service provides users with the information about remote system, user listings etc.

An attacker can compromise a UNIX system by deploying a backdoor that allows the attacker to send cmd_rootsh to

the finger service to gain root access rights. The rule looks for cmd_rootsh in finger connection, originating from

external network. There is a chance that the installed finger daemon be a backdoor. If a root shell has been installed as

/tmp/.sh, then this finger daemon is definitely a trojan, and your system has been compromised.

Signature ID: 5018

FINGER account enumeration

Threat Level: Information

Industry ID: CVE-2001-1503 Bugtraq: 3457 Nessus: 10788

Signature Description: The finger daemon (in.fingerd) allows remote attackers to list all accounts on a host by typing

finger 'a b c d e f g h'@host. From this information, attacker can derive knowledge about active accounts, unused

accounts and the type of operating system. This knowledge will help the to focus his further attacks on these accounts.

Signature ID: 5019

FINGER bomb

Threat Level: Information

Industry ID: CVE-1999-0106

Signature Description: The Finger daemon is used to provide information about users on a UNIX system. It used to be

installed and enabled by default on most UNIX/Linux systems. The Finger Bomb attack can crash or overload the

vulnerable machines. This rule detects the Finger Bomb attack attempts.

Signature ID: 5020

FINGER cybercop query

Threat Level: Information

Industry ID: CVE-1999-0612 Nessus: 10068

Signature Description: Cybercope is a vulnerability scanner, which is used for penetration testing. The tool provides

very detailed information about the system, which also makes Finger a favourite tool for hackers. The detailed

information it provides may be used by hackers to initiate a social engineering attack on a target machine. This rule

indicates that, there is a possibility that someone is running Cybercop for Finger service.

Signature ID: 5021

FINGER null request

Threat Level: Information

Industry ID: CVE-1999-0612 Nessus: 10068

Signature Description: When a packet is transmitted to server port 79 (Finger) with a null character in the data, Some

Unix finger commands will respond with a full list of usernames. A remote attacker could use this information for other

exploits, including dictionary-based password attacks and social engineering attempts.

Signature ID: 5022

FINGER remote command execution attempt

Threat Level: Information

Industry ID: CVE-1999-0150

CVE-2000-0128 Bugtraq: 974

Signature Description: 'The Finger Server' is a perl script for providing .plan-like functionality through a website. Due

to insufficient input checking it is possible for remote unauthenticated users to execute shell commands on the server

which will run with the priveleges of the webserver.