TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
493
Signature ID: 15016
Pragma Systems Telnet Server 2000 rexec port password overflow attempt
Threat Level: Information
Industry ID: CVE-2000-0708
Bugtraq: 1605
Signature Description: Pragma Systems offers a windows remote access server called TelnetServer 2000. TelnetServer
crashes if more than 1000 NULL characters are sent in password field to its rexec port, 512. This can be executed by an
anonymous attacker from anywhere on the internet.
Signature ID: 15017
Pragma Systems Telnet Server 2000 rexec port username overflow attempt
Threat Level: Information
Industry ID: CVE-2000-0708 Bugtraq: 1605
Signature Description: Pragma Systems offers a windows remote access server called TelnetServer 2000. TelnetServer
crashes if more than 1000 NULL characters are sent to its rexec port, 512. This can be executed by an anonymous
attacker from anywhere on the internet.
Signature ID: 15018
Connection attempt using bin account via rsh
Threat Level: Information
Signature Description: This rule detects if a connection made to "rsh" service using "bin" account. This activity may be
an indicative of attempt to abuse hosts using a default configuration. Some UNIX systems used to ship with "bin"
account enabled and no password required. This allowes an attacker to connect to the machine and establish an
interactive session using the "bin" account.
Signature ID: 15020
Failed Login attempt through rlogin
Threat Level: Information
Signature Description: This rule detects login failure message generated by rlogind. rlogin is used on UNIX systems
for remote connectivity and remote command execution. Higher frequency of this event may indicate that an attacker is
attempting a brute force password guessing attack.
Signature ID: 15021
Attempt to login as root by using rlogin
Threat Level: Information
Signature Description: This rule detects login attempts as the superuser using rlogin. Such an activity is an indicative
of attempt to abuse insecure machines with a known default configuration. Some UNIX systems use the "rlogin"
daemon which permits remote "root" logins. This may allow an attacker to connect to the machine and establish an
interactive session.
Signature ID: 15022
Modifying access control permissions by rsh echo + +
Threat Level: Information
Signature Description: The command "echo + +" is used to relax access control permissions for remote services to
allow access from any site without the need for password authentication. This activity is an indicative of attempt to
abuse hosts using a default configuration. Some UNIX systems use the "rsh" service to allow a connection to the
machine for establishing an interactive session. This rule tries to detect if rsh is used to modify system configuration.