TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
393
Signature Description: Computer Associates BrightStor ARCserve Backup is a cross-platform backup and recovery
application. The UniversalAgent module for UNIX listens on TCP/UDP port 6051 and is used to perform backups on
nodes across the network and is capable of backing up system settings as well as files. This agent service requires either
administrative credentials or a node-specific password. The software includes a hard-coded backdoor account with a
default authentication password. By authenticating with username "\x02root\x03" and password
"\x02<%j8U]`~+Ri\x03" (without quotes)a remote user can gain full access to the file system and execute arbitrary
commands with "root" privileges. Administrators are advised to close the port 6051 for external users.
Signature ID: 8013
Access to Vulnerable HP/UX Remwatch
Threat Level: Warning
Industry ID: CVE-1999-0246 Nessus: 10202
Signature Description: There are many vulnerabilities, discovered in HP/UX RemWatch binaries. Exploiting those, an
attacker can execute arbitrary commands. This rule triggers when IPS software detects an attempt to connect to
RemWatch binaries from external network.
Signature ID: 8014
Multiple BSD derived Telnetd Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2001-0554 CVE-2001-0554 CVE-2004-0911 Bugtraq: 3064,11313 Nessus: 10709
Signature Description: A boundary condition error exists in telnet daemons derived from the BSD telnet daemon. The
Telnet server does not return an expected number of replies when it receives a long sequence of 'Are You There'
commands. This probably means that it overflows one of its internal buffers and crashes. It is likely an attacker could
abuse this bug to gain command shell on the victim's machine.
Signature ID: 8017
Xitami Web Server Buffer Overflow Vulnerability
Threat Level: Warning
Nessus: 10322
Signature Description: Xitami web server is a small portable Open Source web server. It is possible to crash web server
by sending a lot of data on the remote port 81 . It is also reported that this problem may allow an attacker to execute
arbitrary code on the remote system.
Signature ID: 8022
SSH Version 1.2.17 check
Threat Level: Warning
Signature Description: Version 1.2.17 of the SSH server package contains security vulnerabilities which can lead to an
attacker compromising the security of the SSH protocol. This vulnerability is present in version 1.5 of the SSH protocol
which is only present in version 1.2. This rule alerts administrator about any access that is made to the vulnerable SSH
protocol version 1.5
Signature ID: 8100
Username 4Dgifts account access
Threat Level: Information
Industry ID: CVE-1999-0501
CVE-1999-0502
Signature Description: Reconnaissance is gathering the information about the target before attacking. Reconnaissance
is the first stage of the attacker to gather information, like OS, Port open information, IP information. Testing the
capability of the gateway security devices and gather information like what data will the firewall or IPS allow inside