TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

401

402

403

404

405

406

407

408

409

410

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

410

generally associated with Internet Information Services by using HTTPS and port 443, any service that implements

SSL on an affected platform is likely to be vulnerable. In this case PCT should work for LDAPS (port 636). This

includes but is not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.0,

Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000,

Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL Server 2000), and any third-

party programs that use PCT (MS04-011)

Signature ID: 10100

MySQL Database root login attempt

Threat Level: Severe

Signature Description: This rule detects when someone using the name "root" logs in to a MySQL database from

external network. The 'root' user may have access to all databases on the system, with full privileges to add users, delete

data, add information, etc.This connection can either be a legitimate telnet connection or the result of spawning a

remote shell as a consequence of a successful network exploit.

Signature ID: 10101

MySQL CREATE FUNCTION libc arbitrary code execution

Threat Level: Information

Industry ID: CVE-2005-0709 Bugtraq: 12781

Signature Description: MySQL is freely distributed relational database server often used as a back-end for several

applications. MySQL versions 4.0.23 and 4.1.10 and prior could allow an attacker to execute arbitrary code. MySQL

provides a mechanism by which the default set of functions can be expanded by means of custom written dynamic

libraries containing User Defined Functions, or UDFs. The CREATE FUNCTION allows a user to create a user-

defined function (UDF) that is stored in a system shared library. A flaw exists that permits a user to call any function in

the shared library as a UDF. This may allow arbitrary code to be executed with MySQL privileges.

Signature ID: 10102

MySQL root login attempt

Threat Level: Information

Signature Description: This rule gets hit when someone using the name "root" logs in to a MySQL database from

external network. The 'root' user may have access to all databases on the system, with full privileges to add users, delete

data, add information, etc. This connection can either be a legitimate telnet connection or the result of spawning a

remote shell as a consequence of a successful network exploit.

Signature ID: 10103

MySQL Show Databases attempt

Threat Level: Information

Signature Description: This rule gets hit when an attempt is made to use the MySQL 'show' command to garner a list of

databases being served by the MySQL daemon. An attacker can collect this information if MySQL is not properly

configured.

Signature ID: 10104

CiscoSecure ACS for Windows NT CSAdmin Buffer Overflow Vulnerability

Threat Level: Warning

Industry ID: CVE-2000-1054

Bugtraq: 1705

Signature Description: CiscoSecure ACS for Windows NT versions 2.4.2 and earlier are vulnerable to a buffer

overflow in the CSAdmin software module. By sending an oversized packet to TCP port 2002, an unauthenticated

remote attacker can overflow the buffer and execute arbitrary code or cause the CSAdmin software module to crash.