Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 919

Table 124: Deep Inspection Alarm Log Entries (continued)
Attack Name
DOS:NETDEV:WEBJET-TRAVERSAL
DOS:NETDEV:WEBJET-WRITETOFILE
FTP:COMMAND:PLATFTP-CD-DOS
FTP:COMMAND:SITE-EXEC
FTP:DIRECTORY:DOT-DOT
FTP:DIRECTORY:MSIE-FTP-DIRTRAV
FTP:EXPLOIT:BOUNCE-ATTACK
FTP:EXPLOIT:FTPBIN-WRITEABLE
Copyright © 2010, Juniper Networks, Inc.
Attack Description
This signature detects directory traversal attempts against
HP Web JetAdmin service. HP Web JetAdmin version
7.5.2546 and earlier are vulnerable. Because JetAdmin does
not properly verify input to the setinclude parameter in
/plugins/hpjdwm/script/test/setinfo.hts
a directory traversal to read and execute arbitrary HTS files.
This signature detects attempts to exploit a vulnerability in
HP Web JetAdmin service. Web JetAdmin versions 7.x are
vulnerable. Attackers may send a maliciously formatted
request to a Web JetAdmin script to execute arbitrary
commands on the server.
This signature detects attempts to exploit a vulnerability in
PlatinumFTP. Attackers may submit a maliciously crafted
pathname in a CD request to crash the FTP daemon.
PlatinumFTP 1.0.6 and earlier versions are vulnerable.
This signature detects attempts to exploit a configuration
vulnerability in wuFTPd. Version 2.4.1 is susceptible.
pathnames.h sets _PATH_EXECPATH to /bin, which is
relative to ~ftp for anonymous users, but relative to / for
users with accounts (specifying the actual /bin rather than
~ftp/bin). Attackers may establish an FTP account on the
system and run the site exec command to gain access to
the /bin directory.
This signature detects '../..' FTP commands sent to FTP/21.
Attackers may change the directory to the root directory of
the FTP service, and gain access to the system.
This signature detects a Microsoft Internet Explorer client
attempting to download a file from a malicious server. The
server may embed a directory traversal attack in the filename
to specify the exact file download location on the client
machine.
This protocol anomaly is an FTP bounce attack. There are
two possibilities: a PORT command specified an IP address
different from the client address, or a PASV command
resulted in a 227 message with an IP address different than
the server.
This signature detects an attempt by a malicious attacker
to upload files with the names of common binaries to the
FTP server's /bin directory. Successful exploitation of this
vulnerability may result in the attacker being able to execute
arbitrary code on the victim ftp server, including the reading
of sensitive files outside of the ftp server's path.
Appendix E: Log Entries
Severity
high
, attackers may use
critical
medium
medium
medium
medium
high
medium
Versions
sos5.1.0
sos5.1.0
sos5.0.0,
sos5.1.0
sos5.0.0,
sos5.1.0
sos5.1.0
sos5.1.0
sos5.0.0,
sos5.1.0
sos5.1.0
869