TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

441

442

443

444

445

446

447

448

449

450

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

445

A, B, and C of the worm). The command shell is used to connect back to the infected computer's FTP server, running

on TCP port 5554, and retrieve a copy of the worm.

Signature ID: 12049

Sasser Worm [FTP Retrieval] Attack

Threat Level: Information

Industry ID: CVE-2003-0533 Bugtraq: 10108 Nessus: 12209

Signature Description: The Sasser Worm exploits a vulnerability in the Windows Local Security Authority Subsystem

Service (LSASS).This worm spreads by scanning randomly selected IP addresses for vulnerable systems. It attempts to

exploit the LSASS vulnerability and open a remote shell on TCP ports 9995 (version D of the worm) or 9996 (versions

A, B, and C of the worm). The command shell is used to connect back to the infected computer's FTP server, running

on TCP port 5554, and retrieve a copy of the worm. This signature triggers on using the TCP port 5554.

Signature ID: 12050

Sasser Worm [Command Shell] Attack

Threat Level: Information

Industry ID: CVE-2003-0533 Bugtraq: 10108 Nessus: 12209

Signature Description: The Sasser Worm exploits a vulnerability in the Windows Local Security Authority Subsystem

Service (LSASS).This worm spreads by scanning randomly selected IP addresses for vulnerable systems. It attempts to

exploit the LSASS vulnerability and open a remote shell on TCP ports 9995 (version D of the worm) or 9996 (versions

A, B, and C of the worm). The command shell is used to connect back to the infected computer's FTP server, running

on TCP port 5554, and retrieve a copy of the worm. This signature triggers on using the TCP port 9995 or 9996.

Signature ID: 12051

Sasser Worm [FTP Retrieval] Attack

Threat Level: Information

Industry ID: CVE-2003-0533 Bugtraq: 10108 Nessus: 12209

Signature Description: The Sasser Worm exploits a vulnerability in the Windows Local Security Authority Subsystem

Service (LSASS).This worm spreads by scanning randomly selected IP addresses for vulnerable systems. It attempts to

exploit the LSASS vulnerability and opens a remote shell on TCP ports 9995 (version D of the worm) or 9996

(versions A, B, and C of the worm). The command shell is used to connect back to the infected computer's FTP server,

running on TCP port 5554, and retrieve a copy of the worm.

Signature ID: 12053

MS-SQL SA login attempt

Threat Level: Information

Industry ID: CVE-2000-1209 Bugtraq: 4797 Nessus: 10673

Signature Description: Microsoft MSDE and SQL Server 2000 Desktop Engine are configured by default with a null

administrative password by default. Remote attackers may exploit this flaw to gain administrative access to the

database if the password has not been manually changed.This event is triggered when an attempt is made to access a

host running Microsoft SQL Server or utilizing MSDE via the default "sa" account. This is a suspicious activity as the

default account is being accessed from external network.

Signature ID: 12054

MS-SQL SA login attempt TDS v7/8

Threat Level: Information

Industry ID: CVE-2000-1209 Bugtraq: 4797 Nessus: 10673

Signature Description: Microsoft MSDE and SQL Server 2000 Desktop Engine are configured by default with a null

administrative password by default. Remote attackers may exploit this flaw to gain administrative access to the