TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

371

372

373

374

375

376

377

378

379

380

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

379

vulnerabilities that allow an attacker to perform activities like directory traversal and information disclosure etc. The

vulnerability is not in glftpd itself, instead inside a suite of zip based plug-ins that come with the glftpd package by

default, these plug-ins are widely used in installations of glftpd. By using a command like SITE NFO ../../etc/*, the

attacker can view files in the folder, outside of ftp root. This rule looks for suspicious FTP commands with SITE

commands. There is a possibility of false positives if the suspicious commands with SITE commands are being used

normally.

Signature ID: 6072

Suspicious FTP Server Access with USER command

Threat Level: Warning

Signature Description: FTP users issue USER and PASS commands to log into an FTP Server. The user may issue

another USER command, after login is successful, as part of exploting the existing premature PASV vulnerability .The

premature PASV command issued then may cause some FTP daemons to crash with a core dump. This FTP core dump

can be used to salvage encrypted passwords bypassing any shadow password scheme.This Rule generates a warning

when a USER command is received during post Authentication period.

Signature ID: 6076

DOS Vulnerability with CSM Proxy 4.1

Threat Level: Information

Industry ID: CVE-1999-1149

Signature Description: CSM (Computer Software Manufaktur) Proxy Server version 4.1 is vulnerable to a buffer

overflow by sending 1030 characters or more to the FTP port (21). Restart of the proxy (Win95) or reboot(NT) is

needed in order to recover system functionality.<br>

Signature ID: 6078

Backdoor BackConstruction FTP setup Command

Threat Level: Information

Signature Description: BackConstruction is among the popular backdoors that attackers use to control victim's system

remotely. The BackConstruction backdoor for Windows 9x and NT allows a remote attacker to enable an FTP server

on an infected machine and create, retrieve, and manipulate files on the system.

Signature ID: 6079

Backdoor BackConstruction FTP setup Command

Threat Level: Information

Signature Description: BackConstruction is among the popular backdoors that attackers use to control victim''s system

remotely. The BackConstruction backdoor for Windows 9x and NT allows a remote attacker to enable an FTP server

on an infected machine and create, retrieve, and manipulate files on the system. This backdoor work's on port 666 via

TCP, with request packets.

Signature ID: 6080

EFTP Information Disclosure Vulnerability

Threat Level: Information

Industry ID: CVE-2001-1193

Bugtraq: 3691

Signature Description: Encrypted FTP (EFTP) is a file transfer protocol that provides encrypted file transfer

functionality. EFTP version 2.0.8.346 is vulnerable to a flaw that may allow attackers to view directory contents. A

remote attacker can use the CWD command followed by special "dot dot" sequences (../../) to access directories outside

of the ftp root directory. Attackers, with a valid user account, can exploit this flaw to view the contents of any directory

on the system. Please Upgrade to the latest version of EFTP 2.0.8.348 or later to resolve this issue.