TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

541

542

543

544

545

546

547

548

549

550

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

550

backdoor a compromised host. There is the original rootkit, as well as versions specifically for SunOS and Linux. This

check attempts to identify a trojan /bin/login program by testing the default 'rootkit' username and password.

Signature ID: 20022

Hidesource Trojan Attempt

Threat Level: Information

Signature Description: 'Hidesource' is the name of a popular collection of trojaned SunOS utilities that are used by

hackers to backdoor a compromised host. Like 'rootkit' trojan horse collection, this is a collection of utilities that

replace system utilities (e.g. the login program) with versions that contain a "backdoor". This rule hits when telent

packet cantains "wank" pattern.

Signature ID: 20023

BACKDOOR HidePak backdoor attempt

Threat Level: Information

Signature Description: 'HidePak' is the name of a popular collection of Trojan Solaris utilities that are used by hackers

to backdoor a compromised host. Like the 'rootkit' trojan horse collection, this is a collection of utilities that replace

system utilities (e.g. the login program) with versions that contain a"backdoor". This check attempts to identify a trojan

/bin/login program by testing the default 'HidePak' login and password.

Signature ID: 20024

CmailAdminDefault

Threat Level: Information

Signature Description: CMail server installs with a default administrator password "asecret," which could allow a

remote attacker to take administrative control of the server. The program gives users ample opportunity to change this

password but it remains a common misconfiguration to leave it in its default state.

Signature ID: 20025

Telnetd New-Environment option is set

Threat Level: Warning

Industry ID: CVE-1999-0073 Bugtraq: 459

Signature Description: This rule triggers when an attempt is made to telnet with New-Environment option is set and

data found for New-Environment option. Many in.telnetd daemons offer the functionality of transferring environment

variables from one system to another. If the remote or targeted system, the one to which the telnet is connecting, is

running an RFC 1408/RFC 1572-compliant telnet daemon and the targeted system also supports shared object libraries,

then it may be possible to transfer environment variables that influence the login program called by the telnet daemon.

By influencing that targeted system, a user may be able to bypass the normal login and authentication scheme and may

become root on that system.

Signature ID: 20026

GAMSoft Telsrv denial of Service Vulnerability

Threat Level: Information

Industry ID: CVE-2000-0665

Bugtraq: 1478 Nessus: 10474

Signature Description: TelSrv is a Telnet server. It provides the ability to remotely administer a machine over any

TCP/IP connection. The remote user can reboot, shutdown and have full access to the host machine. GAMSoft telnet

server(Telnet 1.4.0 and Telnet 1.5.0) is vulnerable to a denial of service caused by a buffer overflow by sending more

then 4550 characters to the username field. A remote attacker can overflow the buffer and cause the server service to

crash. No remedy available as of August 30, 2008. User can stop the vulnerable telnet service.