What's New
About Whitehats
Infosec Library
Contact Us
Terms Of Use
Privacy Policy
Intrusion Detection
. arachNIDS Center
. Submit Signatures
. Forum: General NIDS
. Forum: arachNIDS
. Forum: Signatures
. Forum: Snort IDS
. IDS Tools
Penetration Testing
. Forum: Penetration
. Forum: Nessus
. Assessment Tools
Network Defense
. Forum: DDOS Attacks
. Forum: Internet Law
. Forum: Incidents
. Defense Tools
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IDS318/FTP_FTP-CWD~ROOT
|
Platform(s): |
|
unix |
|
Category: |
|
ftp |
|
Classification: |
|
System Integrity Attempt |
|
|
|
|
|
CVE |
|
CVE-1999-0082 |
|
Bugtraq |
|
nomatch |
|
advICE |
|
2001304 |
|
|
|
|
This event indicates an attempt to circumvent access restrictions on older FTP server software. Certain older, vlnerable versions of FTP server software allow an attacker to access the entire filesystem with root permissions.
This event is specific to a vulnerability, but may have been caused by any of several possible exploits. Signatures used to detect this event are specific and consider the packet payload.
Trusting The Source IP Address |
|
The packet that caused this event is normally a part of an established TCP session, indicating that the source IP address has not been spoofed. If you are using a firewall that supports stateful inspection, and are not vulnerable to sequence number prediction attacks, then you can be fairly certain that the source IP address of the event is accurate. It has been noted that the intruder is likely to expect or desire a response to their packets, so it may be likely that the source IP address is not spoofed.
Protocol details... (ip
header, tcp/udp/icmp header, payload data)
Research details... (packet
captures, background, credits)
IDS Signatures... (dynamically
generated signatures for free and commercial IDS)
|
|
|
|
Copyright © 2001 Whitehats, Inc. All rights reserved. |
|
|
|
|
|
|
|
|