Symantec™ Security Gateways Reference Guide - Sawmill

304 IDS eventsIntrusion attemptsCodeRed WormBase Event:Details:Response:CODERED_WORMThe code red worm uses a buffer overflow vulnerability in the idq.dll, which runs at the systemsecurity level, when handling URL requests. Once an attacker establishes a session on the Webserver and causes a buffer to overflow, that attacker can perform virtually any function on thatserver.Please refer to the following link for more information about the available fixes:CodeRed Removal ToolFor Microsoft Windows 2000 Professional, Server and Advanced Server:http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800For Microsoft Windows 2000 Datacenter Server, patches are hardware-specific and available fromthe original equipment manufacturer.The vulnerability is eliminated beginning with Microsoft Windows XP Release Candidate 1.Affected: Microsoft IIS 4.0 and 5.0Microsoft Personal Web Server 4.0Microsoft Index Server 2.0Indexing Service in Microsoft Windows 2000False Positives: None known.References: Security Focus BID: 2880CVE-2001-0500Microsoft Security Bulletin: MS01-033Symantec Security Response: CodeRed WormColdFusion Expression Evaluator AccessBase Event:Details:Response:HTTP_URL_SIG14An attempt to access the Macromedia ColdFusion expression evaluator was detected. There is aknown vulnerability in Macromedia ColdFusion that could be exploited to delete and display anyfile in the system.Location and audit of client and server is recommended. If you intended to be using these CGIs youshould contact the vendor for any applicable updates.Affected: Macromedia ColdFusion Server 2.0, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 4.0.False Positives: None known.References:CVE-1999-0477HTTP SpecificationsDeepThroat TrojanBase Event:Details:Response:FTPSER_TROJAN_DEEPTHROATThe DeepThroat Trojan horse was detected.Location and audit of client and server is recommended.