Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 918

Network and Security Manager Administration Guide
HTTP:IIS:MDAC-RDS-2
HTTP:IIS:MFC-EXT-OF
HTTP:IIS:NEWDSN-FILE-CREATION
HTTP:IIS:NSIISLOG-CHUNKED-POST
HTTP:IIS:OUTLOOK-WEB-DOS
HTTP:IIS:PROPFIND
HTTP:IIS:SADMIND-WORM-ACCESS
HTTP:IIS:SENSEPOST.EXE
HTTP:IIS:SITE-SERVER-FILE-UPLD
HTTP:IIS:WEBDAV:LOCK-OF
868
This signature detects attempts to exploit the Remote Data
Services (RDS) component included in Microsoft Data
Access Components (MDAC) using ActiveDataFactory.
Microsoft IIS IIS 3.x and 4.x are vulnerable. Attackers may
remotely access exposed unsafe methods to execute
arbitrary commands.
This signature detects buffer overflow attempts against
Microsoft IIS. A maliciously crafted HTTP request can exploit
a buffer overflow condition in mfc42.dll by way of ext.dll.
Attackers may gain local access to an IIS server.
This signature detects attempts to create a file on the Web
server by exploiting the newdsn.exe vulnerability in Microsoft
IIS 3.0.
This signature detects chunked POST requests to
NSIISLOG.DLL. Attackers may exploit Windows Media
Services that have logging enabled, and other vulnerabilities
using this method.
This signature detects denial-of-service (DoS) attempts
against Microsoft Outlook Web. Attacker may send a long
string of '%' characters as the user name and/or password.
This signature detects attempts to exploit a vulnerability in
Microsoft IIS 5.0. Attackers may send malicious 'PROPFIND'
requests to the server to crash it.
This signature detects the sadmind/IIS worm attempting to
infect Microsoft IIS. The sadmind/IIS worm first exploits a
vulnerability in a Solaris system, then attacks Microsoft IIS
Web servers using the Web server folder directory traversal
exploit.
This signature detects attempts to locate sensepost.exe on
a Microsoft ISS Web Server. Attackers may use a
proof-of-concept hacking tool to break into a vulnerable
Web server, then copy cmd.exe to the Web server script
directory and rename it sensepost.exe to avoid detection by
log viewers. To identify this event, check your Web server
logs for details--if the server returned a '200' to the request,
your Web server may be compromised.
This signature detects attempts to exploit a vulnerability in
MS Site Server 2.0 with IIS 4. Attackers may upload content
(including ASP) to the target web site and remotely execute
commands.
This signature detects buffer overflow attempts against
Microsoft IIS WebDAV. Attackers may send a maliciously
crafted WebDAV URL request that contains 65535 or 65536
bytes to the Web server to execute arbitrary code as the
system account.
high sos5.0.0,
sos5.1.0
high sos5.1.0
medium sos5.0.0,
sos5.1.0
high sos5.1.0
high sos5.0.0,
sos5.1.0
medium sos5.1.0
medium sos5.1.0
medium sos5.0.0,
sos5.1.0
high sos5.1.0
critical sos5.1.0
Copyright © 2010, Juniper Networks, Inc.