Snort mailing list archives
ProFTPD FreeBSD FTPD remote root exploit rules
From: Ozan UÇAR <mail () ozanucar com>
Date: Sun, 4 Dec 2011 00:48:07 +0200
Hello Guys, I wrote FreeBSD FTPD remote root exploit signature for snort. alert tcp any any -> any 21 (msg:"ProFTPD FreeBSD FTPD remote root exploit"; pcre:"/(RMD.+etc|RMD.+lib|STOR\s+.*nss_compat.so.1|cron|inetd|syslogd|sendmail)/smi"; reference:cehturkiye.com,bga.com.tr; reference:packetstormsecurity,7350; classtype:attempted-admin; sid:19731; rev:1; ) I tested it, [**] [1:19731:1] ProFTPD FreeBSD FTPD remote root exploit [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 12/04-00:44:51.395511 6.6.6.101:48788 -> 6.6.6.154:21 TCP TTL:64 TOS:0x0 ID:2498 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0x83C45F55 Ack: 0xCF825A28 Win: 0xE5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2185084 29606930 [Xref => packetstormsecurity 7350][Xref => cehturkiye.com bga.com.tr] ---- www.cehturkiye.com
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- ProFTPD FreeBSD FTPD remote root exploit rules Ozan UÇAR (Dec 03)