TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

591

592

593

594

595

596

597

598

599

600

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

595

Signature ID: 25050

PCAnywhere Attempted Administrator Login

Threat Level: Information

Signature Description: PCAnywhere is a remote control administrative software package from Symantec.This could be

an attempt by external source to compromise administrator account privileges of PCAnywhere.

Signature ID: 25073

Samba messaging service buffer overflow

Threat Level: Information

Industry ID: CVE-1999-0811 Bugtraq: 536

Signature Description: Samba server versions prior to 2.0.5a are vulnerable to buffer overflow attacks in the messaging

service. Samba 'smbd' daemon is affected by a Denial of Service vulnerability. An attacker could use "%f" or "%M"

format specifiers to overflow a buffer and execute arbitrary code on the target system. A remote user can cause smbd to

overwrite arbitrary memory locations within the smbd process address space and connect to the server on port 139 or

port 445 and cause arbitrary code to be executed by smbd with root privileges.

Signature ID: 25112

Lsass Exploit Attack

Threat Level: Information

Industry ID: CVE-2003-0533 Bugtraq: 10108 Nessus: 12209

Signature Description: The Sasser Worm exploits a vulnerability in the Windows Local Security Authority Subsystem

Service (LSASS).This worm spreads by scanning randomly selected IP addresses for vulnerable systems. It attempts to

exploit the LSASS vulnerability and open a remote shell on TCP ports 9995 (version D of the worm) or 9996 (versions

A, B, and C of the worm). The command shell is used to connect back to the infected computer's FTP server, running

on TCP port 5554, and retrieve a copy of the worm. This signature triggers on using the TCP port 445.

Signature ID: 25122

ICMP probes to infect Welchia Worm

Threat Level: Information

Signature Description: The Welchia worm propagates by exploiting the Microsoft Windows DCOM RPC vulnerability

(described in Microsoft Security Bulletin MS03-026), specifically targeting Windows XP machines. It also may use the

WebDav vulnerability in Microsoft IIS 5.0 HTTP server (described in Microsoft Security Bulletin MS03-007). Once it

has infected a machine, the worm removes the Blaster worm (if it is installed), downloads the DCOM RPC patch from

Microsoft's Windows Update Web site, installs the patch, and then reboots the computer. The Welchia worm will probe

for active machines to infect by sending an ICMP echo requests. The generated ICMP traffic can saturate the network.

Signature ID: 26023

SQL xp_cmdshell program execution

Threat Level: Information

Signature Description: Several of the Microsoft-provided extended store procedures have a flaw in common. They fail

to perform input validations properly, and are susceptible to buffer overruns. As a result, exploiting these flaws could

enable an attacker to either cause the SQL Server service to fail, or to cause code to run in the security context in which

SQL Server is running. This rule may give false alarms when some legitimate user accesses SQL from outside, as this

rule detects every attempt to call SQL xp_cmdshell procedure from external network.