TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
516
Signature ID: 16136
Rpc.pcnfsd execution vulnerability
Threat Level: Information
Signature Description: The Rpc.pcnfsd daemon handles requests from PC-NFS clients for authentication services on
remote machines. These services include authentication for mounting and for print spooling. When a PC-NFS client
makes a request, the inetd daemon starts the Rpc.pcnfsd daemon. The Rpc.pcnfsd daemon reads the /etc/pcnfsd.conf
configuration file, if present, then services RPC requests directed to program number 150001. After the Rpc.pcnfsd
daemon is started, all print requests go to the default print spooling directory. Rpc.pcnfsd is vulnerable to a security
threat in the future. This signature generates an event, when an attacker try to identify whether Rpc.pcnfsd service is
running. Administrators are advised to disable the Rpc.pcnfsd service if it is not needed. This signature specifically
detects when an attacker send request by using RPC-TCP.
Signature ID: 16137
NIS domain name check
Threat Level: Information
Signature Description: NIS (Network Information System) does most of its authentication by having the client pass the
server the NIS domain name as a password. When a client provides the correct NIS domain name, it may request NIS
maps. Often an NIS domain name is easily guessable. If this is the case then a user anywhere on the Internet who
knows your NIS domain name may request your maps - Passwd.byname, for example. This signature detects when an
attacker send request on portmap service by using RPC-TCP.
Signature ID: 16138
Rpc.rwalld vulnerability
Threat Level: Information
Industry ID: CVE-1999-0181 Nessus: 10240
Signature Description: The rwall daemon is a service which will broadcast messages from remote hosts to all users
who are logged into the system. While it is useful for sending broadcast messages across an entire network for
administrative purposes, it lacks proper authentication. This provides an attacker with the ability to send messages to
every user logged into your servers. This also allows an attacker to flood users with messages. This signature detects
when an attacker send request on portmap service by using RPC-TCP.
Signature ID: 16139
Mount & NIS services on non-reserved ports check Vulnerability
Threat Level: Information
Signature Description: Mount(Mount is to make a group of files in a file system structure accessible to a user or user
group) and NIS(Network Information System allow many machines on a network to share configuration information,
including password data) services are some times running on non reserved ports. An attacker may probe to identify
whether these services are running on non reserved ports. If these services running on non-reserved ports are most
likely vulnerable to port hijacking. Then an attacker intercept or supply data from or to client programs. This signature
specifically detects when an attacker send request by using tcp service.
Signature ID: 16140
Portmapper register/unregister through callit
Threat Level: Information
Signature Description: An attacker may probe to identify whether portmapper services can be set and unset by utilizing
a feature within the portmapper/rpcbind program known as callit(). The callit() function allows forwarding of requests
to local services as though they were coming from the local system itself. This allows attackers to bypass IP address
based authentication checks, to register and un-register services, in addition to exploiting other services. This check