TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
376
Signature ID: 6039
MS-IIS FTPd Status request DoS Vulnerability
Threat Level: Critical
Industry ID: CVE-2002-0073 Bugtraq: 4482 Nessus: 10934
Signature Description: It is possible to make the remote Microsoft IIS FTP server crash by sending a command like
'STAT *?AAAAA....AAAAA'. This vulnerability surfaces when a request is received for the FTP transfer status via the
STAT command. A client issuing this command with a large number of file globbing characters as the argument may
cause the service to crash.On IIS 4.0 servers, the service must be manually restarted. On IIS 5.0 and 5.1 servers, the
service will restart itself automatically.Visit the Microsoft website to install the suggested patch related to the IIS
version.
Signature ID: 6041
CC Scanner's FTP Root Directory write-enabled Check Vulnerability
Threat Level: Information
Signature Description: Network Associates's (NAI) CyberCop Scanner 5.5 is a vulnerability scanner that tracks down
security vulnerabilities across a given network. Many attackers use this tool to gather network related information
before launching any major attack. This rule triggers when the CCScanner is used to find if the anonymous FTP root
directory is either world write-enabled or write-enabled by the anonymous ftp account in a bid to write unauthorised
data or information.The solution is to write-protect the anonymous FTP root directory.
Signature ID: 6044
Anonymous FTP directory setup vulnerability
Threat Level: Information
Signature Description: This rule hits when ftp CWD command Followec with local file Directory path pub.1The
anonymous FTP root directory (~ftp) and its subdirectories should not be owned by the ftp account or be in the same
group as the ftp account. This is a common configuration problem. If any of these directories are owned by ftp or are in
the same group as the ftp account and are not write protected, an intruder will be able to add files (such as a .rhosts file)
or modify other files. This rule detects the presene of CWD command with pub as argument as this is the indication of
accessing the PUB directory from outside. Therefore having files write-enabled on your FTP server can cause problems
such as allowing your site to become a pirated software drop point.
Signature ID: 6045
Anonymous FTP directory setup vulnerability
Threat Level: Information
Signature Description: This rule hits when ftp CWD command followed with local path directory lib.The anonymous
FTP root directory (~ftp) and its subdirectories should not be owned by the ftp account or be in the same group as the
ftp account. This is a common configuration problem. If any of these directories are owned by ftp or are in the same
group as the ftp account and are not write protected, an intruder will be able to add files (such as a .rhosts file) or
modify other files. This rule detects the presene of CWD command with lib as argument as this is the indication of
accessing the LIB directory from outside. Therefore having files write-enabled on your FTP server can cause problems
such as allowing your site to become a pirated software drop point. Ref: CERT Advisory CA-93:10
Signature ID: 6046
Anonymous FTP directory setup vulnerability
Threat Level: Information
Signature Description: This rule hits when ftp CWD command followed with local file directory path like etc. The
anonymous FTP root directory (~ftp) and its subdirectories should not be owned by the ftp account or be in the same
group as the ftp account. This is a common configuration problem. If any of these directories are owned by ftp or are in