Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 906

Network and Security Manager Administration Guide
Table 122: Deep Inspection Alarm Log Entries (continued)
Attack Name
FTP:OVERFLOW:WFTPD-MKD-OVERFLOW
FTP:OVERFLOW:WUBSD-SE-RACE
FTP:PABLO-FTP:FORMAT-STRING
FTP:PASSWORD:BRUTE-FORCE
FTP:PASSWORD:COMMON-PASSWD
FTP:PASSWORD:H0TB0X
FTP:PASSWORD:LRKR0X
FTP:PASSWORD:SATORI
FTP:PASSWORD:WH00T
FTP:PROFTP:LOGXFR-OF1
FTP:PROFTP:MKD-OVERFLOW
FTP:PROFTP:PPC-FS1
856
Attack Description
This signature detects buffer overflow attempts against the
MKD command in Wftpd server 2.34. Attackers may use
MKD and CWD commands to create nested directories and
execute arbitrary commands with system privileges.
This signature detects buffer overflow attempts against the
PASS command in Wu-ftpd 2.6.0 and BSDi-ftpd. Attackers
may send a maliciously crafted PASS request to an FTP
server to execute arbitrary commands as root.
This signature detects denial-of-service attempts against
the Pablo FTP Server. Versions 1.2, 1.3, and 1.5 running on
Windows 2000 are vulnerable. Because the FTP server
improperly parses format string characters, attackers may
supply a maliciously crafted username to execute arbitrary
code and crash the server.
This protocol anomaly is multiple login failures within a short
period of time between a unique pair of hosts.
This signature detects common passwords used in FTP
sessions. Attackers may attempt to log into known accounts
using easily guessed passwords.
This signature detects attempts to use the default rootkit
password 'h0tb0x' to access a FreeBSD rootkit account.
Attackers may gain root access.
This signature detects attempts to install the Rootkit hacker
utility on a LINUX system. The default password is lrkr0x.
This signature detects attempts to install the Rootkit lrk4
hacker utility on a system. The default password is satori.
This signature detects attempts to install the Rootkit hacker
utility on a LINUX system. The default password is wh00t.
This signature detects buffer overflow attempts against the
log_xfer() function in ProFTPD. This vulnerability affects
ProFTPD versions 1.2.0pre1, pre2, and pre3.
This signature detects buffer overflow attempts against
ProFTPD. Versions 1.2pre3 and earlier are vulnerable.
Attackers may send a pathname to the 'MKD' command to
gain remote root access.
This signature detects attempts to exploit a format string
vulnerability in ProFTPD. Versions 1.2pre6 and earlier are
vulnerable. Attackers may overflow the PWD command.
Severity Versions
critical sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.1.0
info sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
Copyright © 2010, Juniper Networks, Inc.