NetProwler 3.5.1 SU16 introduces a total of six (6) signatures. New signatures include the detection of the W32.Klez.gen@mm worm family propagating across the network via SMTP and NetBios shares, and a buffer overflow targeting /bin/login. In addition, four signatures have been updated detecting AltaVista directory traversal attempts, MStream master and client communications, and MStream Flooding. You may obtain NetProwler 3.5.1 SU 16 through the product's autoupdate feature.
- AltaVista_Traversal
The AltaVista search engine includes a CGI that accepts "../" in standard queries. This allows an attacker to access sensitive files in the HTTP directory which is one level above the search engine. Sensitive files in this directory include the trivially encrypted password for the remote administration utility. The CGI in question also processes additional "../" strings if they are encoded in Hex (%2e%2e%2f). This would allow an attacker to access files throughout the host system. This signature detects an attempt to exploit this vulnerability.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0039
- Login_Buffer_Overflow
This signature provides an early warning to the administrator that an attacker is attempting to exploit a buffer overflow on some System V versions of /bin/login. The exploit attempts to overflow a register and bind to a shell in order to allow an attacker to place a new user account in the /etc/passwd or /etc/shadow file. The attack occurs via a telnet or rlogin session. The filter looks at the connection and alerts when an attempt to overflow the buffer occurs.
http://www.cert.org/advisories/CA-2001-34.html
- MStream_Client_Login
This signature provides an early warning to the administrator that traffic resembling MStream control communication has been detected. Specifically, the MStream_Client_Login signature watches for TCP packets of a particular length that contain character strings that are unique to MStream.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138
- MStream_Flood
This signature provides an early warning to the administrator that traffic resembling MStream control communication has been detected. Specifically, the MStream_Flood signature watches for a TCP ACK packet that has both a particular total size and a particular window size.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138
- MStream_Master_Login
This signature provides an early warning to the administrator that traffic resembling MStream control communication has been detected. Specifically, the MStream_Master_Login signature watches for TCP packets of specific lengths that contain character strings unique to MStream.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0138
- SMTP_Klez_Propagation
This signature detects the propagation of the W32.Klez.gen@mm family of worms. The klez worm is a mass-mailing email worm that also attempts to copy itself to network shares. The worm searches Windows address book, ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The subject line, message body, and attachment file names are random. The Klez worm also attempts to disable some common antivirus products.
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
Last modified on: Tuesday, 11-Jun-02 18:46:59
|
