Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsIntrusion attempts309Affected:No specific targets.False Positives: None known.References:CAN-1999-0368FTP SpecificationsFTP Buffer OverflowBase Event:Details:Response:Affected:FTPSER_BUFFER_OVERFLOWAn FTP buffer overflow attempt was detected. This indicates than an attempt to compromise theserver. Examination of the packet contents may provide some additional information about theparticular command.Location and audit of client and server is recommended.No specific targets.False Positives: None known.References:FTP SpecificationsFTP Buffer OverflowBase Event:Details:Response:Affected:FTPSER_NOOP_BUFFER_OVERFLOWAn FTP buffer overflow was detected. This indicates than an attempt to compromise the server. Inthis case an unusually long string of NO-OP codes are detected from the client. NO-OP codes arecommonly used in buffer-overflow attacks to increase the chance of exploit code being executed.Location and audit of client and server is recommended. Examination of the packet contents mayprovide some additional information about the particular command.No specific targets.False Positives: None known.References:FTP SpecificationsFTP CreateDirectory Buffer OverflowBase Event:Details:FTP_CREATEDIRECTORY_BOProFTPd versions, prior to and including 1.2pre1, as well as wuftpd versions, up to2.4.2academ[BETA-18] and 2.4.2 beta 18 vr9, are vulnerable to a buffer overflow that could result inremote root access.The user must have write access and be able to create an unusually long directory or directorystructure to exploit this buffer overflow. The precise details of vulnerability have not beendetermined, but the vendor acknowledges the problem.Response: The fix for wuftp was incorporated into 2.4.2 beta 18 VR10, released November 1, 1998.Upgrade to this version or later. proftp resolved this issue with version 1.2.0pre2; a patch is alsoavailable for 1.2.0pre1.