Symantec™ Security Gateways Reference Guide - Sawmill

310 IDS eventsIntrusion attemptsAffected: ProFTPD Project ProFTPD 1.2ProFTPD Project ProFTPD 1.2pre1Washington University wu-ftpd 2.4.2(beta 18) VR9Washington University wu-ftpd 2.4.2academ[BETA-18]False Positives: None known.References: Security Focus BID: 2242CVE-1999-0368CA-99-03: FTP-Buffer-OverflowsFTP CWD ~rootBase Event:Details:Response:Affected:FTP_CWD_ROOTAn attempt to access restricted files in root’s home directory through FTP was detected.A complete audit of the client and server is recommended.No specific targets.False Positives: None known.References:FTP SpecificationsFTP Exploit AttemptBase Event:Details:Response:Affected:FTPCLI_RETR_USE_COMPRESS_PROGRAMUse of the “--use-compress-program ” FTP extension was detected. This FTP extensionallows for the execution of an arbitrary program on the server host, and should not be used. It’s useindicates a possible compromise of the FTP server.Location and audit of client and server is recommended. If the extension is enabled, it should bedisabled.No specific targets.False Positives: None known.References:CVE-1999-0202http://www.whitehats.com (arachNIDS #134)FTP SpecificationsFTP Exploit AttemptBase Event:Details:Response:FTPCLI_SITE_EXECThe site exec FTP extension was detected. This FTP extension allows for the execution of anarbitrary program on the server host, and should not be used. It’s use indicates a possiblecompromise of the FTP server.If seen in sufficient volume or variation audit of client and server is recommended. If thisextension is enabled, it should be disabled.