TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

491

492

493

494

495

496

497

498

499

500

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

494

Signature ID: 15023

Rsh root login attempt by using froot option

Threat Level: Information

Industry ID: CVE-1999-0113 Bugtraq: 458 Nessus: 10161

Signature Description: This rule detects remote login attempt by rsh when -froot option is specified. rsh connects to the

specified hostname and executes the specified command. If command is omitted from specifying, rsh logs in on the

remote host using rlogin. The intruder may try to attack an older version of the rlogin server which allows remote login

as root without a password. For example, -froot option is used as "# rlogin victim.example.net -l -froot"

Signature ID: 15024

Root login attempt by rsh

Threat Level: Information

Industry ID: CVE-1999-0651

Signature Description: This rule generates the log when an attempt to login as the superuser is attempted using rsh.

Such activity is indicative of attempt to abuse insecure machines with a known default configuration. Some UNIX

systems use the "rsh" daemon which permits remote "root" logins. This may allow an attacker to connect to the

machine and establish an interactive session.

Signature ID: 16001

Detect the HTTP RPC endpoint mapper

Threat Level: Information

Nessus: 10763,10032

Signature Description: The RPC endpoint mapper allows RPC clients to determine the port number currently assigned

to a particular RPC service. An attacker attempts to detect the http-rpc-epmap service by connecting to the port 593 and

processing the buffer received. This endpoint mapper provides CIS (COM+ Internet Services) Parameters like port 135

(epmap) for RPC. The Windows NT 4.0 endpoint mapper is vulnerable platform.

Signature ID: 16002

3270 mapper service Vulnerability

Threat Level: Information

Nessus: 10208

Signature Description: The RPC 3270_mapper service is a server. The clients wishing to communicate with some

mainframes are required to use a 3270 terminal emulation program, which under many implementations requires this

service to be running. The 3270_mapper register with the RPC protmapper as program 100013. This service may

become a security threat. This rule generates an event when an attacker try to know the 3270_manner service is running

or not by using portmap request. Administrators are advised to disabled the service, if it is not necessary.

Signature ID: 16005

Automounter daemon(amd) service portmap request vulnerability

Threat Level: Warning

Industry ID: CVE-1999-0704

Bugtraq: 614 Nessus: 10211

Signature Description: Automounter daemon(amd) is a daemon that automatically mounts filesystems whenever a file

or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have

become quiescent. Automounter daemon(am-utils-6.0.1) is vulnerable to a buffer overflow under several operating

systems. This vulnerability is due to insufficient validation of user supplied data. A successful exploitation of this

vulnerability allow an attacker to execute remote code on the vulnerable system.