TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
549
Signature ID: 20016
Check for a Citrix server
Threat Level: Information
Nessus: 11022
Signature Description: Citrix servers allow a Windows user to remotely obtain a graphical login (and therefore act as a
local user on the remote host).If an attacker gains a valid login and password, he maybe able to use this service to gain
further access on the remote host.
Signature ID: 20017
Telnet LD_LIBRARY_PATH vulnerability
Threat Level: Information
Signature Description: Telnet is the terminal emulation protocol of tcp/ip. Telnet uses the tcp transport protocol to
achieve a virtual connection between server and client. After connecting, Telnet server and client enter a phase of
option negotiation that determines the options that each side can support for the connection. Each connected system can
negotiate new options or renegotiate old options at any time. Attacker attempts to set the environment variable in a
Telnet session, for getting unauthorized superuser access.
Signature ID: 20018
Access to Telnet RESOLV_HOST_CONF
Threat Level: Information
Industry ID: CVE-2001-0170 Bugtraq: 2181
Signature Description: Some telnet daemons will accept environment variables from remote telnet clients. Some of
these variables include paths to system files, like RESOLV_HOST_CONF. A vulnerability exists in some systems'
resolver library whereby a user can specify the location of a configuration file. If your host is vulnerable to this, an
intruder could read any file on your system by connecting to your telnet daemon.
Signature ID: 20019
Linux NIS+ account attempt
Threat Level: Information
Signature Description: The Network Information Service Plus(NIS+) provides a simple network lookup service
consisting of databases and processes. It was formerly known as Sun Yellow Pages (YP). The functionality of the two
remains the same, only the name has changed. Its purpose is to provide information, that has to be known throughout
the network and to all machines on the network. In the past installations of NIS+ on some Linux distributions were
configured improperly in the /etc/passwd file. This inconsistency allowed for remote users to log in as '+'.
Signature ID: 20020
Rootkit' check with content of
Threat Level: Information
Signature Description: Rootkit is the name of a popular collection of trojaned OS utilities that are used by hackers to
backdoor a compromised host. There is the original rootkit, as well as versions specifically for SunOS and Linux.
Attacker attempts to connect to a Telnet server using the phrase "D13HH[". This is a known password for the Linux
rootkit.
Signature ID: 20021
Rootkit' check with content of "wh00t!"
Threat Level: Information
Signature Description: 'Rootkit' is the name of a popular collection of trojaned OS utilities that are used by hackers to