TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
394
the network. Attacker tries to login to a server using the username 4Dgifts via Telnet. This is a default account on some
SGI based machines. The password may also be 4Dgifts or it may not have a password assigned.
Signature ID: 8101
APC Management card default admin account access
Threat Level: Warning
Industry ID: CVE-2004-0311
Bugtraq: 9681
Signature Description: APC WEB/SNMP Management Card is used to remotely manage APC products.The APC
WEB/SNMP Management Card (9606) Firmware 3.0.1 and 3.0 has been reported prone to a default password. This
password is reportedly used during initial card configuration, prior to public distribution. This signature generates an
event when these credentials are used in a Telnet session.
Signature ID: 8102
Failed SU attempt from a wrong group
Threat Level: Information
Signature Description: Reconnaissance is gathering the information about the target before attacking. Reconnaissance
is the first stage of the attacker to gather information, like OS, Port open information, IP information. Testing the
capability of the gateway security devices and gather information like what data will the firewall or IPS allow inside
the network. An attacker may attempt to gain root privileges by issuing the su command. This implies that the attacker
has successfully connected to the telnet server with an account other than root. A failed attempt will cause an error
message to be generated indicating that the user is not a member of an authorized group to obtain root privileges.
Signature ID: 8103
EZSetup account access attempt
Threat Level: Information
Industry ID: CVE-1999-0501 CVE-1999-0502
Signature Description: Reconnaissance is gathering the information about the target before attacking. Reconnaissance
is the first stage of the attacker to gather information, like OS, Port open information, IP information. Testing the
capability of the gateway security devices and gather information like what data will the firewall or IPS allow inside
the network. Some SGI machines shipped with an easy setup group of scripts(EZsetup) to assist the user when setting
up the host, may install some password less default accounts on the machine. Attacker tries to login to a server using
the username OutOfBox via Telnet. This is a default account on some SGI based machines. The password may also be
OutOfBox or it may not have a password assigned. Repeated events from this rule may indicate a determined effort to
guess the password for this account.
Signature ID: 8104
IRIX telnetd format vulnerability
Threat Level: Critical
Signature Description: Telnet is the terminal emulation protocol of tcp/ip. Telnet uses the tcp transport protocol to
achieve a virtual connection between server and client. After connecting, Telnet server and client enter a phase of
option negotiation that determines the options that each side can support for the connection. When setting one of the
_RDL environment variables, IRIX's telnetd logs the information via syslog. When telnetd calls syslog, it is possible to
manipulate the variable to overwrite values on the stack so that given code is executed as the user telnetd is run as,
typically root.
Signature ID: 8105
Solaris telnetd buffer overflow vulnerability
Threat Level: Information
Signature Description: Telnet is the terminal emulation protocol of tcp/ip. Telnet uses the transport protocol to achieve