Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ProFTPD FreeBSD FTPD remote root exploit rules

From: Ozan UÇAR <mail () ozanucar com>
Date: Sun, 4 Dec 2011 00:48:07 +0200
Hello Guys,

I wrote FreeBSD FTPD remote root exploit signature for snort.

alert tcp any any -> any 21 (msg:"ProFTPD FreeBSD FTPD remote root
exploit";
pcre:"/(RMD.+etc|RMD.+lib|STOR\s+.*nss_compat.so.1|cron|inetd|syslogd|sendmail)/smi";
reference:cehturkiye.com,bga.com.tr; reference:packetstormsecurity,7350;
classtype:attempted-admin; sid:19731; rev:1; )

I tested it,

[**] [1:19731:1] ProFTPD FreeBSD FTPD remote root exploit [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
12/04-00:44:51.395511 6.6.6.101:48788 -> 6.6.6.154:21
TCP TTL:64 TOS:0x0 ID:2498 IpLen:20 DgmLen:61 DF
***AP*** Seq: 0x83C45F55  Ack: 0xCF825A28  Win: 0xE5  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2185084 29606930
[Xref => packetstormsecurity 7350][Xref => cehturkiye.com bga.com.tr]


----
www.cehturkiye.com

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: