TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
447
Signature ID: 12059
MS-SQL sa brute force failed login
Threat Level: Information
Industry ID: CVE-2000-1209
Bugtraq: 4797 Nessus: 10673
Signature Description: Microsoft MSDE and SQL Server 2000 Desktop Engine are configured by default with a null
administrative password. Remote attackers may exploit this flaw to gain administrative access to the database if the
password has not been manually changed. This event reports when there is a server's response to unsuccessful login
attempt. As genuine users also may cause login failure events, it is suggested to observe the repetitive nature of this
event to confirm the attack.
Signature ID: 12060
MS-SQL sa brute force failed login unicode
Threat Level: Information
Industry ID: CVE-2000-1209 Bugtraq: 4797 Nessus: 10673
Signature Description: When installing Microsoft Data Engine (MSDE) version 1.0 or Microsoft SQL Server Desktop
Engine (MSDE2000), by default the installation uses SQL Authentication. And also, the default user name is always
"sa", and the default password is blank. MSDE version 1.0 and SQL Server 2000 Desktop Engine are vulnerable to
unauthorised access. Remote attackers may exploit this flaw to gain administrative access to the database if the
password has not been manually changed.
Signature ID: 12061
MS-SQL shellcode attempt
Threat Level: Information
Signature Description: An attempt to exploit shell code on the SQL server is detected. This may cause serious
compromise of the data stored on that system where SQL server is running.
Signature ID: 12062
MS-SQL sp_adduser - database user creation
Threat Level: Information
Signature Description: This event is generated when an authorized user attempts to execute suspicious commands on
SQL database Server that may result in a loss of confidentiality, Availability and Integrity of data stored on the
database.MS SQL sp_adduser adds a security account for a new user in the current database. This is a suspicious
activity as it is being initiated from external network.
Signature ID: 12063
MS-SQL sp_delete_alert log file deletion
Threat Level: Information
Signature Description: This event is generated when an unauthorized user attempts to execute suspicious commands on
SQL database Server that may result in a loss of confidentiality, Availability and Integrity of data stored on the
database. MS SQL sp_delete_alert deletes an alert from the database. This is a suspicious activity as it is being initiated
from external netwrok.
Signature ID: 12064
MS-SQL sp_password - password change
Threat Level: Information
Signature Description: This event is generated when an authorized user attempts to execute suspicious commands on
SQL database Server that may result in a loss of confidentiality, Availability and Integrity of data stored on the
database. MS SQL sp_password adds or changes a password for a SQL Server which is a suspicious activity.