| # | //Copyright (c) 1998-1999 Network ICE Corporation. All rights reserved. | | | | | | | | | |
|
|---|
| 1 | [IssueTable] | | | | | | | | | | |
| 2 | //This file contains the master list of all issues known | | | | | | | | | | |
| 3 | //to IceCap | | | | | | | | | | |
| 4 | //issueId | name | type | impact | pk-severity | di-severity | roots | Class | Summary | Defense | Risk |
| 5 | 1 | Heartbeat | 0 | 0 | 0 | 0 | | Informational | Agent heartbeat. | n/a | n/a |
| 6 | 2 | Expired License | 0 | 0 | 0 | 3 | | Informational | The product license has expired. | n/a | n/a |
| 7 | 3 | Invalid License | 0 | 0 | 0 | 3 | | Informational | The license key is invalid; therefore the product will not run. | n/a | n/a |
| 8 | 4 | Unlicensed Feature | 0 | 0 | 0 | 2 | | Informational | A feature was requested but, because it is not licensed, it is not supported . | n/a | n/a |
| 9 | 5 | License Will Expire | 0 | 0 | 0 | 2 | | Informational | The product license expires soon. | n/a | n/a |
| 10 | 6 | Detector Shutdown | 0 | 0 | 0 | 4 | | Informational | The detector has shutdown. | n/a | n/a |
| 11 | 7 | Unused | 0 | 0 | 0 | 0 | | . | n/a | n/a | |
| 12 | 8 | Filter failed | 0 | 0 | 0 | 4 | | Informational | A firewall filter could not be set. | n/a | n/a |
| 13 | 9 | FAILURE | 0 | 0 | 0 | 4 | | FAILURE | There is a good chance that BlackICE is causing a crash on startup; please click on the advICE link (to the right) to resolve this. | n/a | n/a |
| 14 | 10 | phone home | 0 | 0 | 0 | 0 | | Informational | This is a pseudo-event that tells BlackICE to contact ICEcap. | n/a | n/a |
| 15 | 11 | Startup Delay | 0 | 0 | 0 | 4 | | FAILURE | An important failure occurred on the last run, so BlackICE is waiting up to 20-minutes before starting. | n/a | n/a |
| 16 | 12 | NO ADAPTERS OPEN | 0 | 0 | 0 | 4 | | FAILURE | NETWORK ICE WAS NOT ABLE TO CONNECT TO ANY ADAPTERS ON YOUR SYSTEM, PRESS advICE FOR MORE INFO. | n/a | n/a |
| 17 | 13 | INSTALLATION-FAILURE | 0 | 0 | 0 | 4 | | FAILURE | The file 'blackdll.dll' could not be found or is corrupt. Please click on the advICE button for more help. | n/a | n/a |
| 18 | 14 | OEM NOT INSTALLED | 0 | 0 | 0 | 4 | | FAILURE | This version of BlackICE only runs with the equipment the software came with. Please click the advICE button for more info. | n/a | n/a |
| 19 | 15 | EVALUATION PERIOD OVER | 0 | 0 | 0 | 4 | | FAILURE | The evaluation period is over. Please click on the advICE button to order the latest version. | n/a | n/a |
| 20 | 16 | Download Successful | 0 | 0 | 0 | 0 | | Informational | The agent software download succeeded. | n/a | n/a |
| 21 | 17 | Download Failed | 0 | 0 | 0 | 4 | | Informational | The agent software download failed. | n/a | n/a |
| 22 | 18 | ICEcap Agent not responding | 0 | 0 | 0 | 4 | | Informational | ICEcap has determined that an agent is not responding. | n/a | n/a |
| 23 | 19 | Invalid User Settings | 0 | 0 | 0 | 4 | | Informational | Value is out of range. | n/a | n/a |
| 24 | 50000 | pwd.admin.null | 0 | 1 | 3 | -1 | | Vulnerability | An administrator/root account was detected with an empty password. | Every user name or account should have a password with a minimum length of 8 characters. The password should include at least one digit and at least one non-alphanumeric symbol. It is also good to use both upper and lower case letters. If you do need a user name or account without a password, it should not be an administrator/root account. | n/a |
| 25 | 50001 | pwd.admin.simple | 0 | 1 | 3 | -1 | | Vulnerability | An administrator account was detected where the password is the same as the logon name. | Every user name or account should have a password with a minimum length of 8 characters. The password should include at least one digit and at least one non-alphanumeric symbol. It is also good to use both upper and lower case letters. If you do need a user name or account without a password, it should not be an administrator/root account. | n/a |
| 26 | 50002 | pwd.user.null | 0 | 1 | 3 | -1 | | Vulnerability | A user account was detected with an empty password. | Every user name or account should have a password with a minimum length of 8 characters. The password should include at least one digit and at least one non-alphanumeric symbol. It is also good to use both upper and lower case letters. If you do need a user name or account without a password, it should not be an administrator/root account. | n/a |
| 27 | 50003 | pwd.user.simple | 0 | 1 | 3 | -1 | | Vulnerability | A user account was detected where the password is the same as the logon name. | Every user name or account should have a password with a minimum length of 8 characters. The password should include at least one digit and at least one non-alphanumeric symbol. It is also good to use both upper and lower case letters. If you do need a user name or account without a password, it should not be an administrator/root account. | n/a |
| 28 | 100000 | Info | 1 | 0 | 0 | -1 | 119999 | Category | Category for auto-discovery style information. | n/a | n/a |
| 29 | 100001 | Read | 1 | 0 | 0 | -1 | 119999 | Category | Category for probes that attempt to read files from targets. | n/a | n/a |
| 30 | 100002 | Write | 1 | 0 | 0 | -1 | 119999 | Category | Category for probes that attempt to write files to targets. | n/a | n/a |
| 31 | 100003 | Login | 1 | 0 | 0 | -1 | 119999 | Category | Category for probes that assess vulnerability to login verifiers. | n/a | n/a |
| 32 | 100004 | Execute | 1 | 0 | 0 | -1 | 119999 | Category | Category for probes that attempt to execute programs on target. | n/a | n/a |
| 33 | 100005 | Exploit | 1 | 0 | 0 | -1 | 119999 | Category | Category for probes that attempt to exploit well-known vulnerabilities. | n/a | n/a |
| 34 | 100006 | DoS | 1 | 0 | 0 | -1 | 119999 | Category | Category for Denial-of-Service attacks. THIS IS A DANGEROUS CATEGORY THAT SHOULD NORMALLY BE TURNED OFF. | n/a | n/a |
| 35 | 100007 | Passive | 1 | 0 | 0 | -1 | 119999 | Category | Category for discovery information about target from 3rd party sources (does not send packets to target). | n/a | n/a |
| 36 | 100008 | Bounce | 1 | 0 | 0 | -1 | 119999 | Category | Category for detecting vulnerabilities and attacks that can be recursed through the target. | n/a | n/a |
| 37 | 110001 | User | 1 | 0 | 0 | -1 | 119998 | Category | Category for probing for user account information. | n/a | n/a |
| 38 | 110005 | RoutingInfo | 1 | 0 | 0 | -1 | 119998 | Category | Category for discovering routing and topology information. | n/a | n/a |
| 39 | 110006 | Time | 1 | 0 | 0 | -1 | 119998 | Category | Category for probing for timestamps on target machines. | n/a | n/a |
| 40 | 110007 | Defaults | 1 | 0 | 0 | -1 | 119998 | Category | Category for probes that discover well-known default configurations that should have been disabled during installation. | n/a | n/a |
| 41 | 110008 | Backdoor | 1 | 0 | 0 | -1 | 119998 | Category | Category for discovering the existence of "Backdoor" programs and Trojan Horses. | n/a | n/a |
| 42 | 110009 | OS | 1 | 0 | 0 | -1 | 119998 | Category | Category for discovering operating system information. | n/a | n/a |
| 43 | 110010 | Services | 1 | 0 | 0 | -1 | 119998 | Category | Category for discovering which services are running on the targets. | n/a | n/a |
| 44 | 110011 | Hosts | 1 | 0 | 0 | -1 | 119998 | Category | Category for discovering information about the existence of new hosts. | n/a | n/a |
| 45 | 110012 | Names | 1 | 0 | 0 | -1 | 119998 | Category | Category for discovering named objects on the network. | n/a | n/a |
| 46 | 119998 | root.class | 1 | 0 | 0 | -1 | | Meta-category | Meta-category for categories that group according to what information they find. | n/a | n/a |
| 47 | 119999 | root.impact | 1 | 0 | 0 | -1 | | Meta-category | Meta-category for categories that group according to what impact they have on the target. | n/a | n/a |
| 48 | 120000 | root.protocol | 1 | 0 | 0 | -1 | | Meta-category | Meta-category for categories that group according to protocol. | n/a | n/a |
| 49 | 120001 | TCP | 1 | 0 | 0 | -1 | 120000 | Category | Protocol category for TCP-specific protocols. | n/a | n/a |
| 50 | 120002 | TCP port scan | 2 | 3 | 0 | -1 | 120001 | Scan | Scans through the TCP ports on the target host looking for services to exploit. Some TCP ports are assigned to specific Internet protocols by the Internet Assigned Numbers Authority (IANA). It is a good idea to disable ports that are not needed. Open ports can provide an entryway for attackers. When an open port is found, the attacker attaches to that port and attempts to exploit any weaknesses of the services using the port. | Disable TCP ports for unused services. | Scans TCP ports. |
| 51 | 120003 | UDP port scan | 2 | 3 | 0 | -1 | 120001 | Scan | Scans through the UDP ports on the target host looking for services to exploit. It is a good idea to disable ports that are not needed. Open ports can provide an entryway for attackers. When an open port is found, the attacker attaches to that port and attempts to exploit any weaknesses of the services using the port. UDP scans are less common than TCP scans, because UDP is a less reliable transport. | Disable unnecessary ports or filter access. Filter outgoing ICMP "Destination Port Unreachable" packets which tell the hacker which ports are inactive. | Scan for open UDP ports. |
| 52 | 120004 | ICMP | 2 | 0 | 0 | -1 | 120000 | Category | Protocol category for ICMP. | n/a | n/a |
| 53 | 120005 | SNMP | 0 | 0 | 0 | -1 | 120000 | Category | Protocol category for SNMP. | n/a | n/a |
| 54 | 120006 | RPC | 2 | 0 | 0 | -1 | 120000 | Category | Protocol category for Sun RPC. | n/a | n/a |
| 55 | 120007 | rpc.mountd | 2 | 0 | 0 | -1 | 120006 | Category | Protocol category for mountd. This actually fans out to two sub-probes, RPC mountd Spoof UID and RPC mountd Via.Portmap. | Patch mountd in RPC services | This is the parent probe for mountd vulnerabilities. |
| 56 | 120008 | DNS | 0 | 0 | 0 | -1 | 120000 | Category | Protocol category for DNS. | n/a | n/a |
| 57 | 120009 | SMB | 1 | 0 | 0 | -1 | 120000 | Category | Protocol category for SMB. | n/a | n/a |
| 58 | 120010 | NetBIOS | 1 | 0 | 0 | -1 | 120000 | Category | Protocol category for NetBIOS. | n/a | n/a |
| 59 | 200011 | Systat banner check | 2 | 0 | 0 | -1 | 100000:110001:120001:110010 | Vulnerability | The UNIX 'systat' protocol provides a list of running programs and often some user information as well. This provides a hacker with a structure of the system. While 'systat' is useful for network management purposes, it is also very useful to hackers looking for information about a system. | Disable service; change banner to not reveal any version information, or disable banner. | Determines active users and applications on a system. |
| 60 | 200013 | Daytime banner check | 2 | 0 | 0 | -1 | 100000:110006:120001 | Vulnerability | This probe acquires the system time and date from a system. An incorrect time on a computer may indicate to a hacker a poorly maintained system full of well-known vulnerabilities. This protocol is more often used in ôping-pongö or denial of service attacks. | This protocol is of little value and should be disabled. | Retrieves time and date from target system(s). |
| 61 | 200021 | FTP banner check | 2 | 0 | 0 | -1 | 100000:120001:110009:110010 | Vulnerability | Reads the FTP banner and attempts to discover the FTP server, version, and operating system. Knowing the version number of an operating system can help hackers looking to exploit known holes or bugs in the operating system version. The FTP banner is transmitted when anyone logs on to the server. It looks something like this: "220 frodo.shire.com FTP server (Version wu-2.4.2-academ[BETA-15](1) Sat Nov 1 03:08:32 EST 1997) ready." Since banners are always sent during a connection, there is no indication of a problem. A few FTP servers allow you to configure the banner information. Many UNIX-based FTP servers come with source code, which can be recompiled to omit or change the banner information. | Update FTP software and/or operating system; or install patches to suppress version numbers in FTP banners. | Determines operating system and version. |
| 62 | 200023 | Telnet banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | Attempts to connect to the Telnet port. Once connected, it reads the Telnet banner and attempts to discover information about the target system. Since Telnet is a simple command interface, it can allow the intruder unlimited access to execute programs on the target system. This depends on the capabilities granted to telnet users. | Close telnet service; limit access to telnet users. | Obtains information via Telnet service. |
| 63 | 200025 | SMTP banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This probe attempts to connect to the SMTP port. If successful, the probe attempts to get other information from the SMTP banner message. Information in the SMTP banner can expose version numbers and other information a hacker can use to exploit known vulnerabilities. | Disable banner in inetd.conf (UNIX), or change banner contents to not reveal any sensitive information. | Obtains SMTP banner information. |
| 64 | 200037 | Time protocol banner check | 2 | 0 | 0 | -1 | 100000:110006:120001 | Vulnerability | This probe acquires the system time. An incorrect time on a computer may indicate to a hacker a poorly maintained system full of well-known vulnerabilities. This protocol is more often used in ôping-pongö or denial of service attacks. | This protocol is of little value and should be turned off. | Checks to see if system time information is available. |
| 65 | 200053 | DNS banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This simple probe attempts to connect to the Domain Name Service port. If successful, the probe then does a reverse DNS lookup using the in-addr.arpa domain to look for a DNS name for the target system. The Domain Name Service (DNS) protocol is the major information protocol for finding systems or resources on the internet. The DNS protocol is defined by the ARPA Internet community specifications. DNS servers are very powerful sources of information for intruders, especially if the DNS deamon is running on a machine with limited protection. An intruder can use DNS information to find out about other machines on the target network. The intruder can also use this information to redirect traffic from the target network to his own machine, where he can then manipulate or analyze the traffic. | This is a legitimate use of DNS services. Disable inetd.conf or set filter. | DNS lookup through TCP port. |
| 66 | 200070 | Gopher banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This simple probe attempts to connect to the Gopher service on TCP port 70. The Internet Gopher protocol is designed for distributed document search and retrieval. | Disable service; change banner to not reveal any version information, or disable banner. | Obtains information via Gopher services. |
| 67 | 200079 | Finger banner check | 2 | 0 | 0 | -1 | 100000:110001:120001 | Vulnerability | Lists logged-on users. Equivalent to doing a "finger @host", where "host" is the name of the target machine. The finger client program ships with all versions of UNIX, and is available for Windows platforms. | Disable ôfingerö service. | Obtains list of users logged on to a system. |
| 68 | 200080 | HTTP banner check | 2 | 0 | 0 | -1 | 100000:120001:110009:610000:110010 | Vulnerability | The HTTP banner can sometimes reveal version numbers and other information about HTTP services on a system. | Change banner to not reveal any version information, or disable banner. | Gathers information about HTTP services. |
| 69 | 200109 | POP2 banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This simple probe attempts to connect to the POP2 TCP port. If it connects, it then parses the POP2 banner to obtain various information about the target system. | Change banner to not reveal any version information, or disable banner. | Gathers information about Post Office Protocol 2 (POP2) services. |
| 70 | 200110 | POP3 banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This simple probe attempts to connect to the POP3 TCP port. If it connects, it then parses the POP3 banner to obtain various information about the target system. | Change banner to not reveal any version information, or disable banner. | Gathers information about Post Office Protocol 3 (POP3) services. |
| 71 | 200119 | NNTP banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This simple probe attempts to connect to the NNTP TCP port and parse the NNTP banner. From the banner, the hacker can determine information about the system, including the version number of the NNTP services. | Change banner to not reveal any version information, or disable banner. | Gathers information about Network News Transfer (NNTP) services. |
| 72 | 200137 | NetBIOS name check | 2 | 0 | 0 | -1 | 100000:120001:110001:120010:110010 | Vulnerability | This probe attempts to connect to the NetBIOS name service TCP port. If successful, it then does a NetBIOS name service status request, to get the various name information about the target system. The NetBIOS name information may include the name of the current user. With the logon user name, the attacker can then attempt to crack the userÆs password. Without a logon name, a password crack is virtually impossible. | Disable NetBIOS services if system is directly exposed to the Internet, otherwise this is a legitimate use of the NetBIOS services an cannot be disabled. | Gathers information about connected users and NetBIOS services. |
| 73 | 200139 | NetBIOS session banner check | 2 | 0 | 0 | -1 | 100000:110006:120001:110010 | Vulnerability | This probe attempts to connect to the NetBIOS session service TCP port. The NetBIOS session service is used to access the file system and other resources on the target system. If this probe is successful, then attackers may be able to access the disk drive on your system. | Disable NetBIOS services if system is directly exposed to the Internet, otherwise this is a legitimate use of the NetBIOS services an cannot be disabled. | Gathers information about connected users and NetBIOS services. |
| 74 | 200143 | IMAP4 banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This probe attempts to connect to the Internet Message Access Protocol - Version 4 TCP port and download the IMAP banner. The IMAP banner may reveal the manufacturer or version of the IMAP services, and may contain well known security vulnerabilities. | Disable service in inetd.conf (UNIX) or change banner to not display any service information. | Gathers information from the Internet Message Access Protocol û Version 4. |
| 75 | 200220 | IMAP3 banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This probe attempts to connect to the Internet Message Access Protocol - Version 4 TCP port and download the IMAP banner. The IMAP banner may reveal the manufacturer or version of the IMAP services, and may contain well known security vulnerabilities. | Disable service in inetd.conf (UNIX) or change banner to not display any service information. | Gathers information from the Internet Message Access Protocol û Version 3. |
| 76 | 200513 | rlogin banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This probe attempts to connect to the Remote Login TCP port available on many UNIX systems. The probe attempts to read information from the Rlogin banner. | Disable service in inetd.conf (UNIX) or change banner to not display any service information. | Obtains information from the Remote Login (Rlogin) TCP port. |
| 77 | 200514 | rsh banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This probe attempts to connect to the Remote Shell TCP port and download the banner information. The banner can reveal information about the UNIX system and the remote shell services. | Disable service in inetd.conf (UNIX) or change banner to not display any service information. | Obtains information from the remote shell (rsh) TCP port on UNIX systems. |
| 78 | 200515 | lpr banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This simple probe attempts to connect to the LPR service and download the banner information. The banner can reveal information about the service as well as the UNIX operating system. | Disable service in inetd.conf (UNIX) or change banner to not display any service information. | Obtains information via Remote Line Printer services on UNIX. |
| 79 | 201080 | SOCKS banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This probe attempts to connect to the SOCKS TCP port. SOCKS is a secure proxy service designed to allow transparent authenticated access to general TCP services. | Disable service in inetd.conf (UNIX) or change banner to not display any service information. | Determines status of SOCKS port. |
| 80 | 206000 | X-Windows banner check | 2 | 0 | 0 | -1 | 100000:120001:110010 | Vulnerability | This probe attempts to connect to the X-Windows TCP port and download the X-Windows banner information. The banner may contain information about the X-Windows service and the operating system. | Disable service in inetd.conf (UNIX) or change banner to not display any service information. | Obtains information via X-Windows service. |
| 81 | 210004 | OS fingerprint | 2 | 0 | 4 | -1 | 110009 | Vulnerability | TCP and ICMP specifications do not specify how a system should respond to incorrect requests. A hacker can send many incorrect requests to systems on a network. Based on known responses, the hacker can then ôfingerprintö the operating system by how it responds to the incorrect TCP or ICMP requests. | There really is no defense to this attack since it takes advantage of an inherent weakness in how TCP and ICMP are implemented on different operating systems. | Attempts to determine the operating system of a device. |
| 82 | 210005 | TCP seqno prediction | 2 | 0 | 4 | -1 | 100005 | Vulnerability | Discovers that the machine is vulnerable to "TCP seqno prediction", which allows attackers to use IP spoofing to connect to machines. The attacker connects to a system using a spoofed IP address and sends commands to the system. The attacker cannot receive responses from your system, but based on experience with your systemÆs operating system can guess the responses. | Upgrade operating system to latest version. | Attacker is able to disguise where he is coming from, and can thus bypass IP authentication schemes. |
| 83 | 210006 | Finger | 2 | 2 | 3 | -1 | 110001 | Vulnerability | Obtains user information for all users configured on the target system. Finger is normally used to provide information about a specific user on the target system. Using finger with the ô0ö parameter on some versions of finger will return all information about all users on the target system. Getting a valid user name for the target system is very important information to an attacker. If the finger 0 command works, then the attacker will have an extensive list of user names to use for logon attempts and password cracking. | Disable ôfingerö commands. | Obtains list of users logged on to a system. |
| 84 | 210007 | pingpong nuke | 2 | 2 | 3 | -1 | 100006 | Vulnerability | Several "simple TCP/IP services" are only used for testing and should not be enabled in production environments. When sent a packet, these services will automatically respond. This allows a hacker to forge a packet from one victim to another. The packets will then bounce back and forth infinitely between the victims. | On WinNT disable "Simple TCP/IP Services". On UNIX disable the 'quoted' 'echo' and 'chargen' services. | System performance degrades. |
| 85 | 220001 | FTP bounce | 0 | 0 | 3 | -1 | 100005 | Vulnerability | Exploits a ôfeatureö of FTP servers where an anonymous user can download a file to another IP address. Thus, an attacker from one IP address can break into another IP address but appear to come from the FTP server in the middle. | Upgrade FTP server and/or disable PORT commands to other IP addresses. | Scans through firewalls, hides true source of scans behind your server (making you look like the source instead). |
| 86 | 220002 | FTP restricted port | 0 | 0 | 2 | -1 | 100005 | Vulnerability | Ports below 1024 are used for well-known services. This allows a hacker to use the FTP server to gain root privileges on a UNIX machine providing "shell account" services. It can also be used in conjunction with the FTP bounce attack. | Upgrade FTP server and/or disable PORT commands to other IP addresses. | Scans through firewalls. |
| 87 | 220003 | FTP CWD ~root | 0 | 0 | 0 | -1 | 100005 | Vulnerability | Some misconfigured FTP servers point "~root" to the "/" directory. This gives the attacker access to all files on the FTP Server. Since many FTP servers can also host other services, this can potentially open up the entire server to attack. | Upgrade FTP server to patch this known bug. | Exploits a bug in FTP servers that gains access to the entire FTP server. |
| 88 | 220004 | FTP SITE EXEC | 0 | 0 | 0 | -1 | 100005 | Vulnerability | The "SITE EXEC" feature is enabled on some FTP servers and is used for remote administration and debugging. It can be exploited in several ways to compromise the system. An attacker can gain access to all files on the FTP Server. Since many FTP servers can also host other services, this can potentially open up the entire server to attack. | Upgrade FTP server to patch this known bug. | Exploits a bug in FTP servers that gains access to the entire FTP server. |
| 89 | 280001 | TCP half-open scan | 2 | 2 | 0 | -1 | 120001 | Vulnerability | A half-open scan is when we attempt to open a 1/2 connection to a port on the target host. The target system responds with ACK packets if the port is available, else RST. | No known defense. | Scans system using ôTCP half-open connectionsö. |
| 90 | 280002 | TCP fragmented IP half-open scan | 2 | 2 | 0 | -1 | 120001 | Vulnerability | A half-open scan is when we attempt to open a 1/2 connection to a port on the target host. For this specific scan, we fragment the TCP header into three IP packets. The target system responds with ACK packets if the port is available, else RST. | BlackICE will block fragmented IP packets. Firewalls can block fragmented IP packets. | Scans system using IP fragmented ôTCP half-open connectionsö. |
| 91 | 300002 | SNMP interfaces | 2 | 0 | 0 | -1 | 100000:120005 | Vulnerability | Used to map the network, it can also locate dial-up interfaces on the network. | Disable SNMP access. | Lists network interfaces from SNMP "ifTable". |
| 92 | 300004 | SNMP IP addresses | 2 | 0 | 0 | -1 | 100000:120005 | Vulnerability | Used to map the network. Retrieves list of IP addresses on the target system. | Disable SNMP access. | Lists IP addresses from SNMP "ipAddrTable". |
| 93 | 300100 | SNMP MIB-II | 2 | 0 | 0 | -1 | 100000:120005 | Vulnerability | Used to map the network, it indicates capabilities of the target. | Disable SNMP access. | Lists common MIB-II (Management Information Base-II) groups. |
| 94 | 300400 | SNMP private data | 2 | 0 | 0 | -1 | 100000:120005 | Vulnerability | Retrieves information from the private data portion of the SNMP MIB on the target system. If a hacker knows who manufactured the device, he can exploit known vulnerabilities in that manufacturerÆs products. | Disable SNMP access. | Lists vendor MIB (Management Information Base) extensions. |
| 95 | 310001 | SNMP ARP table | 2 | 0 | 0 | -1 | 100000:120005 | Vulnerability | Retrieves cached information from the target system's ARP table using SNMP. An attacker can use this information to map the network. | Disable SNMP access. | Downloads ARP table from target. |
| 96 | 310002 | SNMP password crack | 0 | 3 | 3 | -1 | 120005:100003 | Vulnerability | Attempts to guess SNMP access passwords. This test runs an extensive list of passwords to attempt to gain access to SNMP information on the target system. | Disable SNMP access, enable IP address filtering. | Tries many common SNMP community strings. |
| 97 | 310003 | SNMP crash check | 0 | 0 | 4 | -1 | 100006:120005 | Vulnerability | This probe sends specially constructed packets which are known to crash some implementations of SNMP. For example, HP JetDirect printers have well-known bugs that cause them to crash when they receive special SNMP packets. Some sites rely upon printouts to indicate security violations. By crashing all the printers, the attacker can evade detection. | Disable SNMP access; patch/upgrade systems. | Sends packets known to crash various implementations of SNMP. |
| 98 | 310004 | SNMP walk entire MIB | 0 | 0 | 0 | -1 | 120005:100000 | Vulnerability | This probe attempts to download the entire MIB (Management Information Base) from an SNMP device. This can reveal information about the device as well as all the devices with which the target has communicated. | Disable SNMP access. | Attempts to download the MIB-II tables. |
| 99 | 400000 | rpcinfo portmap dump | 2 | 0 | 0 | -1 | 100000:120006:110010 | Vulnerability | Lists services on a machine, including port numbers and versions. A hacker can use this information to plan an attack on known vulnerabilities in the services. | Disable ôdumpö command; disable RPC on machines exposed to Internet. | Sends ôdumpö command to RPC portmapper/rpcbind service. |
| 100 | 400001 | rpc.rstatd | 0 | 0 | 0 | -1 | 100000:120006 | Vulnerability | Attempts to retrieve performance information about the machine. Using this an attacker can determine which systems are active and inactive, thus helping to build a map of the network. | Disable "rstatd", or restrict access to management consoles. | Retrieves performance information via the UNIX RPC "rstatd" daemon. This reveals some configuration and status information. |
| 101 | 400002 | rpc.rusersd | 0 | 0 | 2 | -1 | 100000:110001:120006 | Vulnerability | The "rusersd" protocol can provide a list of user accounts and information about those accounts. This can be extremely valuable for determining which accounts to attempt cracks on. A hacker also can use this information to pose as a network administrator or other authority figure to carry out a social engineering attack. | Disable service or restrict access to certain IP address(es). | Lists active users by retrieving user account information using the RPC "rusersd" protocol. |
| 102 | 400005 | rpc.showmount | 0 | 0 | 0 | -1 | 100000:120006 | Vulnerability | This attack provides a list of available disk shares. With this information a hacker can attempt to access the shares. Many shares are not password protected and therefore are wide open for attack. | Disable service or restrict access to certain IP address(es). | Lists which volumes are available on a system. |
| 103 | 500002 | ICMP trace route | 0 | 0 | 0 | -1 | 120004 | Vulnerability | This probe allows ICEscan to map the network. This probe uses the ICMP Echo request with different maximum hop counts to trace the IP addresses between ICEscan and the target system. An attacker can use trace route information to plan "man-in-the-middle" attacks, where they may bounce or spoof frames off of intermediate systems to gain access to the target system. Trace route information can also enable hackers to hijack connections by redirecting routers and using other techniques. | Tracerouting is a legitimate network function that cannot be stopped. The only way to avoid trace routing is to block traffic at a firewall. | Lists all routers to the target. |
| 104 | 500003 | ICMP ping (echo) | 0 | 0 | 0 | -1 | 120004 | Vulnerability | Pinging devices is one way to map a network. One of the most common preludes to an attack is for the hacker to ping sweep the network. This entails sending ICMP Echo Requests to all addresses on a network and seeing who responds and who does not. ICEscan uses this to test a system before scanning or testing. | Disable/filter ICMP echoes. | Tests to see if a machine is alive. |
| 105 | 501003 | ICMP ping of death attack | 3 | 3 | 4 | -1 | 120004:100006 | Vulnerability | The ping of death was discovered on early TCP/IP stacks. The oversized ICMP packet corrupts memory in the networking code on the target system. Operating systems released after 1993 generally do not contain this vulnerability. | Patch/upgrade the system. | Attempts to crash the machine. |
| 106 | 502003 | ICMP ping sweep attack | 2 | 0 | -1 | -1 | 120004 | Vulnerability | A Ping Sweep is often a precursor to an attack. The intruder attempts to determine which IP addresses are active within a large range of addresses. The hacker then knows which addresses to target and which to ignore. This probe pings all devices to see if they respond. | All external firewalls should be configured to block external ICMP Echo requests, except from known host systems. If you have a network management system outside the firewall that needs to ping internal systems, only allow that system to transmit ping requests through the firewall. | Checks to see if systems on the network respond to ICMP pings. |
| 107 | 610000 | HTTP | 0 | 0 | 0 | -1 | 120000 | Category | n/a | n/a | n/a |
| 108 | 610001 | HTTP cgi-bin probe | 0 | 1 | 2 | -1 | 610000:100005 | Vulnerability | There are numerous CGI programs with security holes that allow hackers to gain full access to a system. | Remove all CGI programs that aren't absolutely necessary. Check existing CGI for well-known security problems. | Scans for well-known CGI programs attackers can manually invoke. |
| 109 | 610002 | HTTP RDO probe | 0 | 1 | 2 | -1 | 610000:100005:100004 | Vulnerability | The RDO feature of many web servers may allow hackers to execute programs on the system. | Disable the RDO features of the web server if they aren't absolutely necessary. | Scans for RDO services on the web server. Attackers can use this to compromise a system. |
| 110 | 610003 | HTTP AnyForm probe | 0 | 1 | 2 | -1 | 610000:100005:100004 | Vulnerability | The AnyForm feature of many web servers may allow hackers to execute programs on the system. | Disable the AnyForm features of the web server if they aren't absolutely necessary. | Scans for AnyForm services on the web server. Attackers can use this to compromise a system. |
| 111 | 800000 | NetBIOS node status | 2 | 0 | 0 | -1 | 110001:120010:110010 | Vulnerability | Discovers logged-on user names, service accounts, machine name, domain/workgroup name, and MAC address. Helps map the network and find vulnerable services. Node Status is one of the NetBIOS Name Services requests. NetBIOS Name Services is a datagram-oriented protocol that allows systems to register and advertise alphanumeric names for services available on those systems. NetBIOS node status requests should not be allowed to traverse a firewall, unless they are from a specifically authorized external host. If a unique Messenger Service name is advertised, this name is likely to be the user name of the currently logged on user. A valid user name is a very valuable piece of information to a hacker wanting to attack your systems. | Filter UDP port 137 at firewall. | Sends "NetBIOS Node-Status Request" to list active NetBIOS names. |
| 112 | 800001 | NetBIOS name service | 0 | 0 | -1 | -1 | 110012:120010:110011 | Vulnerability | WINS is the Microsoft specific name resolution service, similar to the DNS Domain Name Service used by the Internet. WINS has several advantages over DNS, especially with its ability to work well in DHCP dynamic IP address situations. | This is a legitimate use of NetBIOS/WINS services. | Gathers WINS information. |
| 113 | 900000 | DNS information | 2 | 0 | 0 | -1 | 120008:100000:110005 | Vulnerability | Gathers as much information about a DNS server as possible. | No known defense. | Collects information about DNS servers. |
| 114 | 900001 | DNS address query | 2 | 0 | 0 | -1 | 120008 | Vulnerability | Finds name of machine in DNS database. This is the officially approved method to do a reverse address to name resolution. | This is a legitimate DNS command. However, it can reveal information about your network. | Sends reverse query to DNS server about target. |
| 115 | 900003 | DNS bind version check | 0 | 1 | 2 | -1 | 120008:100005 | Vulnerability | Sends a "CHAOS" query for version. Only Berkeley Internet Name daemons (BIND) respond to this request. Some versions of BIND have well-known security holes. If a hacker knows the version, he can test to see if the server responds to known vulnerabilities. | Upgrade DNS services to latest version. | Sees if the target responds to a BIND version query. |
| 116 | 900004 | DNS inverse query check | 0 | 2 | 2 | -1 | 120008:100005 | Vulnerability | This is not the approved way to obtain an address to name mapping. Inverse Query is only used during testing of BIND implementations. Doing a complete reverse lookup through the DNS database tables is a very processor intensive operation. All DNS request and response packets should be Internet type with an "Opcode" query. Any other "opcode" or network type should be considered suspect. Most commercial BIND implementations are compiled with the Inverse Query turned off. | Patch/upgrade system. Obtain the latest version of BIND from your vendor. If you are using your own version of BIND, disable the Inverse Query option in the source code and recompile. | Sees if target responds to inverse query. |
| 117 | 900006 | DNS zone transfer check | 0 | 2 | 2 | -1 | 120008:100005:110005 | Vulnerability | Downloads the DNS database to acquire a map of the network. A DNS Zone Transfer crack can provide zone information about an entire domain. Using the DNS zone information, an intruder can gather more information about the structure of your DNS servers. | Disable non-authenticated Zone Transfers. | Attempts Zone Transfer on target. |
| 118 | 900007 | DNS cache poison check | 0 | 2 | 2 | -1 | 120008:100005:110005 | Vulnerability | If a hacker can poison a DNS cache, he can masquerade as virtually any system on the network (such as www.yahoo.com). | Upgrade/patch DNS service. | Checks to see if a system is susceptible to DNS cache poison bugs. |
| 119 | 900008 | DNS piggyback data check | 0 | 2 | 3 | -1 | 120008:100005:110005 | Vulnerability | Older versions of BIND treated any data in the Additional Records portion of a DNS package as a response and therefore cached the information. | Update your DNS server with the latest version of BIND. | Looks for data piggybacked on DNS queries. |
| 120 | 900009 | DNS out of sequence check | 0 | 2 | -1 | -1 | 120008:100005:110005 | Vulnerability | Some versions of DNS accept requests and responses out of order. In other words, a hacker can send a response to the DNS server which it caches. Afterwards any query for the information previously sent as a response, is directed to whatever response the hacker put in the cache. | Patch/upgrade system. | Checks to see if a system accepts out of sequence requests and responses. |
| 121 | 1000000 | SMB information | 2 | 0 | 0 | -1 | 120009:100000:110001:110009 | Vulnerability | This probe actually consists of two "sub-probes": RPC admind and RPC mountd Spoof UID. | No known defense. | Gathers information from various SMB sources. |
| 122 | 1000001 | SMB corrupt logon attack | 0 | 3 | 4 | -1 | 120009:100006 | Vulnerability | Windows NT 4.0 systems prior to service pack 4 have a vulnerability which can crash the system when it receives corrupt SMB packets. SMB Session Setup packets include miscellaneous strings about the SMB client. If these strings do not end with a null character, the SMB stack on a Windows NT server overflows, causing the NT server to Blue Screen of Death. | Disable file sharing or patch/upgrade system. | Attempts to crash the machine using corrupted SMB packets. |
| 123 | 1000002 | SMB simple password check | 0 | 2 | 3 | -1 | 120009:100003 | Vulnerability | Scan for Windows network users or administrators that have no password or have set the password the same as the user name. | Make sure all accounts use secure passwords. Good passwords are at least 8 characters and use a combination of letters, numbers, and symbols. | Checks for simple or empty passwords on administration and user accounts. |
| 124 | 1000003 | SMB open default shares | 0 | 2 | 2 | -1 | 120009:100001:100002:100003:100004 | Vulnerability | Finds shares that anybody can access. This probe can also detect a remote disk drive access that uses the Microsoft default share names. Open shares could allow unauthorized access to the system's disk drives. Microsoft Windows operating systems have a default label for each disk drive. For example, the default share label for the C: drive is C$. These labels are considered hidden, and do not appear in the Microsoft network neighborhood browser. ICEscan has detected that the system under test has default share access enabled for the user and passwords indicated. | Disable unnecessary shares. Remote access using the default share labels is not normally needed, other than the ADMIN$ share used for remote administration. Disable all default share labels on the system. | Attempts to mount known shares. |
| 125 | 1000004 | SMB PRINTER$ attack | 0 | 3 | 2 | -1 | 120009:100005 | Vulnerability | If the PRINTER$ default share is open it can be used to access the disk drive. The PRINTER$ share is a default share connected to the SYSTEM directory under the default Windows directory. It is used to allow remote users to install new printers on the system that is sharing printer resources. This problem only exists on Windows 95 systems. | Upgrade to newer software or install patch. | Scans to see if the system has a default share open. |
| 126 | 1000008 | SMB advertised shares | 0 | 2 | 2 | -1 | 120009:100001:100002:100003:100004 | Vulnerability | Listing available disk shares is an important step in any attack. Attackers will likely then see which shares can be accessed with no password. | Disable service or restrict access to specific IP address(es). | Lists shares. |
| 127 | 1100001 | BackOrifice check | 2 | 2 | 3 | -1 | 110008 | Vulnerability | Checks to see if the BackOrifice application has been installed. This doesn't install BackOrifice itself, but finds if it exists, and then reports its success or failure. | If BackOrifice is located, it must be removed. There is a shareware application called "BODetect" that can be downloaded from many vendors. This application will remove any BackOrifice installations. | Scans for the BackOrifice application on target machine. |
| 128 | 2000001 | Land attack | | s100 | -1 | 2 | | DoS attempt | Attacker forges a TCP connection from your machine back to your machine, causing an infinite loop. | Update operating system, install filters. | System hangs, slows down, or crashes. |
| 129 | 2000002 | Unknown IP protocol | | 0 | -1 | 3 | | Possible Trojan Horse | A frame with an unknown IP protocol was detected. | Install or reconfigure port filters. | Intruder may take advantage of security holes built into a trojan horse application to access files or crash the system. |
| 130 | 2000003 | Teardrop attack | | s90 | -1 | 2 | | DoS attempt | The attacker overlaps fragments in a way designed to crash the machine. | Update operating system, install filters. | System crash, BSoD (Blue Screen of Death). |
| 131 | 2000004 | NewTear attack | | s90 | -1 | 2 | | DoS attempt | The attacker overlaps fragments in a way designed to crash the machine. | Update operating system, install filters. | System crash, BSoD (Blue Screen of Death). |
| 132 | 2000005 | SynDrop attack | | s90 | -1 | 2 | | DoS attempt | The attacker overlaps fragments in a way designed to crash the machine. | Update operating system, install filters. | System crash, BSoD (Blue Screen of Death). |
| 133 | 2000006 | TearDrop2 attack | | s90 | -1 | 2 | | DoS attempt | The attacker overlaps fragments in a way designed to crash the machine. | Update operating system, install filters. | System crash, BSoD (Blue Screen of Death). |
| 134 | 2000007 | Bonk attack | | s90 | -1 | 2 | | DoS attempt | The attacker overlaps fragments in a way designed to crash the machine. | Update operating system, install filters. | System crash, BSoD (Blue Screen of Death). |
| 135 | 2000008 | Boink attack | | s90 | -1 | 2 | | DoS attempt | The attacker overlaps fragments in a way designed to crash the machine. | Update operating system, install filters. | System crash, BSoD (Blue Screen of Death). |
| 136 | 2000009 | IP fragment overlap | | s90 | -1 | 2 | | DoS attempt | The attacker overlaps fragments in a way designed to crash the machine. | Upgrade operating system to patch this vulnerability. Install filters to stop attacks. | System crashes. |
| 137 | 2000010 | IP last fragment length changed | | s90 | -1 | 2 | | DoS attempt | The attacker overlaps fragments in a way designed to crash the machine. | Upgrade operating system to patch this vulnerability. Install filters to stop attacks. | System crashes. |
| 138 | 2000011 | Too much IP fragmentation | | s90 | -1 | 2 | | DoS overload attempt | The system received a large number of unprocessed fragments; this may be an attack, or a simple spike in traffic. | Update operating system. | System and network slow down. |
| 139 | 2000012 | Ping of death | | s90 | -1 | 2 | | DoS attempt | Attacker sends illegal size ping packet (>64K), which networking software was not designed to handle. | Filter out attacking IP address, or update operating system to specifically stop this type of attack. | System crash, BSoD (Blue Screen of Death). |
| 140 | 2000013 | IP source route | | 0 | -1 | 3 | | Intrusion | Attacker uses IP source routing that in some cases can go around firewalls. | Install dynamic firewall. | Intruder gains unauthorized access to the system. |
| 141 | 2000014 | Zero length IP option | | 0 | -1 | 3 | | DoS attempt | Attacker sends invalid IP option length of zero; this may crash the system or the firewall. | Update system/firewall software. | System crashes. |
| 142 | 2000015 | Nestea attack | | s90 | -1 | 2 | | DoS attempt | The attacker overlaps fragments in a way designed to crash the machine. | Update operating system, install filters. | System crash, BSoD (Blue Screen of Death). |
| 143 | 2000016 | Empty fragment | | 0 | -1 | 2 | | DoS attempt | The attack is sending empty IP fragments. | Update operating system, install filters. | System crash, BSoD (Blue Screen of Death). |
| 144 | 2000101 | Trace route | F | 0 | -1 | 0 | | Scan | A trace route scan was performed on the system. This may be indicative of a future attempt to attack the system. | No known defense. | An intruder may be gathering information which could be useful to setup a later attack. |
| 145 | 2000102 | Echo storm | | | -1 | 1 | | DoS overload attempt | A large number of ICMP echo frames have been sent to a single system; these may have resulted from a Smurf attack. | These services are used only in testing and should be disabled, especially when connected to the Internet. | System and network slow down. |
| 146 | 2000103 | Possible Smurf attack initiated | | 0 | -1 | 2 | | DoS overload attempt | Possible Smurf-amplifier attempt; an ICMP echo frame has been sent to a subnet address. | There is no defense for this attack because it is your connection that is being affected. The attacker is spoofing the IP address (specifically, pretending to be you), so you cannot find out who the attacker is. | Slows down network connection. |
| 147 | 2000104 | ICMP unreachable storm | | 0 | -1 | 2 | | DoS overload attempt | Attacker sends a large number of ICMP port-unreachable frames to a single IP address. | Update operating system. | Slows down network connection. |
| 148 | 2000105 | ICMP subnet mask request | | 0 | -1 | 1 | | Scan | Attacker requests the value of the subnet mask. This provides knowledge about your network's configuration. | No known defense. | An intruder may be gathering information which could be useful to setup a later attack. |
| 149 | 2000106 | Ping sweep | | 0 | -1 | 2 | | Scan | Attacker pings all machines within a subnet looking for those that are on-line. | Filter IP address pings at the router for the subnet. | Attacker locates systems that are available on a sub-network. |
| 150 | 2000107 | Suspicious router advertisement | | 0 | -1 | 3 | | DoS attempt | Attacker attempts to redirect traffic to an inappropriate router using a false IRDP router advertisement. | Update operating system. | Attacker redirects traffic. |
| 151 | 2000108 | Corrupt IP options | | 0 | -1 | 3 | | DoS attempt | Attacker sends many frames with bad IP options. This may cause the system to crash. | Update operating system. | System crashes. |
| 152 | 2000109 | Echo reply without request | | 0 | -1 | 3 | | Detection avoidance | Attacker sends an ICMP Echo reply without a request, possibly to communicate with a trojan horse application. | Filter IP address pings at the router for the subnet. | Attacker communicates with a trojan horse application. |
| 153 | 2000110 | ICMP flood | | DoS | -1 | 3 | | DoS attempt | Attacker sends many ICMP requests to cause system to be unresponsive. | Reconfigure router. | System becomes unresponsive. |
| 154 | 2000111 | Twinge attack | | DoS | -1 | 4 | | DoS attempt | Attacker sends many false ICMP requests to cause system to be unresponsive. | Reconfigure router. | System becomes unresponsive. |
| 155 | 2000201 | UDP port scan | F | agg | -1 | 2 | | Scan | Attacker systematically scans through many UDP ports on a system looking for those that are open. | Filter IP address from attacking source. | Locates open ports on a system. |
| 156 | 2000202 | UDP port loopback | | agg | -1 | 3 | | DoS overload attempt | Attacker sends a UDP frame that has ports 7 (Echo), 17 (Quote of the Day), or 19 (Chargen) as source and destination. | Upgrade system or install filters. | Slows down system. |
| 157 | 2000203 | Snork attack | | DoS | -1 | 3 | | DoS overload attempt | Attacker sends an error packet to your system on port 135, and your system replies, possibly resulting in an infinite loop. | Upgrade system or install filters. | Slows down system. |
| 158 | 2000204 | Ascend attack | | DoS | -1 | 3 | | DoS attempt | Attacker sends a frame that can crash older versions of Ascend routers. | Download and install patch from Ascend. | Older versions of Ascend routers may crash. |
| 159 | 2000205 | Possible Fraggle attack initiated | | 0 | -1 | 2 | | DoS overload attempt. | Attacker sent an Echo, Qotd or Chargen frame to the broadcast address. | Upgrade system or install filters. | Slows down system. |
| 160 | 2000207 | UDP short header | | 0 | -1 | 2 | | Possible DoS | Attacker creates short frame to crash server. | Upgrade server software. | Crashes old versions of BeOS and possibly other systems. |
| 161 | 2000301 | TCP port scan | F | agg | -1 | 2 | | Scan | Attacker systematically scans through many ports on a system looking for those that are open. | Filter IP address from attacking source. | Locates open ports on a system. |
| 162 | 2000302 | TCP SYN flood | | DoS | -1 | 2 | | DoS overload attempt | Attacker floods the system with TCP connection requests; real requests may not get through. | Upgrade system with "SYN cookies", install filters. | Slows down a system making it difficult or impossible for anyone to connect to it. |
| 163 | 2000303 | WinNuke attack | | IP | -1 | 2 | | DoS attempt | Attacker sends out-of-band data to an open TCP connection. Older versions of Windows can't handle this type of data. | Filter out attacking IP address or update operating system to specifically stop this type of attack. | System hang or BSoD (Blue Screen of Death). |
| 164 | 2000304 | TCP sequence out-of-range | | 0 | -1 | 2 | | Possible intrusion | A TCP sequence number is out of the expected range. This may signal an attempt to hijack a TCP connection. | No known defense. | Subsequent attempts to hijack connections may be successful. |
| 165 | 2000305 | TCP FIN scan | F | agg | -1 | 2 | | Scan | Attacker sends unusual combination of TCP flags to see how the system responds. This may assist further attacks. | Filter IP address from attacking source. | Locates open ports on a system. |
| 166 | 2000306 | TCP header fragmentation | | agg | -1 | 2 | | Detection avoidance | Attacker is trying to avoid detection by splitting the TCP header into multiple frames. | Filter IP address from attacking source. | Locates open ports on a system. |
| 167 | 2000307 | TCP short header | | agg | -1 | 2 | | Scan | Attacker is trying to avoid detection by improperly splitting the TCP header into multiple frames. | Filter IP address from attacking source. | Locates open ports on a system. |
| 168 | 2000308 | TCP xmas scan | F | agg | -1 | 2 | | Scan | Attacker sends unusual combination of TCP flags to see how the system responds. This may assist further attacks. | Filter IP address from attacking source. | Locates open ports on a system. |
| 169 | 2000309 | TCP null scan | F | agg | -1 | 2 | | Scan | Attacker sends unusual combination of TCP flags to see how the system responds. This may assist further attacks. | Filter IP address from attacking source. | Locates open ports on a system. |
| 170 | 2000310 | TCP ACK ping | F | agg | -1 | 1 | | Scan | Attacker is trying to determine whether your system is up by sending an unusual frame. | Filter IP address from attacking source. | Locates available system. |
| 171 | 2000311 | TCP post connection SYN | | 0 | -1 | 1 | | Detection avoidance | Attacker is trying to avoid detection by sending a SYN frame with a different sequence number than the original SYN. | Filter IP address from attacking source. | Intruder avoids detection. |
| 172 | 2000312 | TCP FIN or RST seq out-of-range | | 0 | -1 | 1 | | Possible intrusion | A TCP sequence number is out of the expected range on a FIN or RST packet. This may signal an attempt to hijack a TCP connection. | Filter IP address from attacking source. | Intruder avoids detection. |
| 173 | 2000313 | TCP OS fingerprint | F | 0 | -1 | 2 | | Scan | Attacker sends unusual combination of TCP flags to see how the system responds. This may assist further attacks. | Filter IP address from attacking source. | Determines the identity of the operating system. |
| 174 | 2000314 | NMAP OS fingerprint | F | 0 | -1 | 2 | | Scan | Attacker uses NMAP program to send unusual TCP options to help identify the operating system. | Filter IP address from attacking source. | Determines the identity of the operating system. |
| 175 | 2000315 | Zero length TCP option | | 0 | -1 | 3 | | DoS attempt | Attacker sends invalid TCP option length of zero. This may crash the system or the firewall. | Update system/firewall software. | System crashes. |
| 176 | 2000316 | TCP small segment size | | 0 | -1 | 2 | | Detection avoidance | Attacker uses small TCP segment size to avoid detection, or to force unusual server or firewall behavior. | Update system/firewall software. | Intruder avoids detection or bypasses firewall. |
| 177 | 2000317 | TCP SYN with URG flag | | agg | -1 | 2 | | DoS attempt | Attacker sends a frame with SYN and URG flags set. This may crash the system or the firewall. | Update system/firewall software. | System crashes. |
| 178 | 2000318 | TCP Invalid Urgent offset | | 0 | -1 | 2 | | DoS attempt | Attacker sends frame with Urgent offset pointing beyond end of frame. This may crash system. | Update system/firewall software. | System crashes. |
| 179 | 2000401 | DNS zone transfer | | 0 | -1 | 2 | | Scan | With a list of systems in your network, the attacker can target obvious points of attack such as routers or file servers. | Limit the information revealed on your DNS servers. Configure separate DNS servers for Internet and internal use. | Attacker lists the systems in your network. |
| 180 | 2000402 | DNS cache corruption | | 0 | -1 | 3 | | Precipitates intrusion attempt | Attacker corrupts your DNS cache with his own entries; traffic can be redirected to another site. | Most DNS servers have no defense to some techniques. | Attacker uses one of a number of techniques to corrupt your DNS cache. |
| 181 | 2000403 | DNS name overflow | | 0 | -1 | 2 | | Possible intrusion | Attacker sends a DNS query that includes a very long system name. This may be an attempt to shutdown the DNS server. | Patch/upgrade DNS server. | This is an attempt to crash and compromise the DNS server. |
| 182 | 2000404 | DNS non-Internet lookup | | 0 | -1 | 2 | | Possible intrusion | This may be an attempt to corrupt a DNS server. | Patch/upgrade DNS server. | Attacker is prowling around your system. |
| 183 | 2000405 | DNS malformed | | 0 | -1 | 2 | | May crash DNS server | An ill-constructed DNS packet has been seen. | Patch/upgrade DNS server. | May crash the DNS server. |
| 184 | 2000406 | DNS Internet not 4 bytes | | 0 | -1 | 2 | | May crash DNS server | Attacker performs a DNS query with an Internet address that is not 4 bytes. | Patch/upgrade DNS server. | May crash the DNS server. |
| 185 | 2000407 | DNS HINFO query | | 0 | -1 | 2 | | Scan | A DNS HINFO query was done; a hacker may be collecting information prior to launching an attack. | Limit the information revealed on your DNS servers. Configure separate DNS servers for Internet and internal use. | An intruder may be gathering information which could be useful to setup a later attack. |
| 186 | 2000408 | DNS spoof successful | | 0 | -1 | 2 | | Precipitates intrusion attempt | Attacker has succeeded in redirecting traffic to another site. | DNS service should be restarted. | The DNS cache has most likely been corrupted; subsequent Internet accesses may go to the wrong address. |
| 187 | 2000409 | DNS I-Query | | 0 | -1 | 2 | | Possible intrusion | System sees unusual DNS traffic. This most often indicates an intrusion attempt. | Patch/upgrade DNS server. | This is an attempt to crash and compromise the DNS server. |
| 188 | 2000410 | DNS I-Query exploit | | 0 | -1 | 2 | | Intrusion | Intruder is attempting to gain control of the DNS service via a well-known exploit. | Disable inverse queries. | Intruder gains root access on your name server or disrupts normal operation of your name server. |
| 189 | 2000411 | DNS Chaos lookup | | 0 | -1 | 1 | | Possible intrusion | A DNS query includes a non-Internet address. | Patch/upgrade DNS server. | Attacker retrieves version number of DNS server. |
| 190 | 2000413 | NetBIOS names query | | 0 | -1 | 0 | | Scan | A hacker may be collecting information prior to launching an attack. | No known defense. | An intruder may be gathering information which could be useful to setup a later attack. |
| 191 | 2000414 | DNS spoof attempt | | 0 | -1 | 3 | | Intrusion attempt | An attacker has attempted (unsuccessfully) to redirect traffic to another site. | Update DNS server. | Subsequent attempts to redirect traffic to another site may be successful. |
| 192 | 2000415 | DNS NXT record overflow | | IP | -1 | 3 | | Intrusion | Intruder is attempting to overflow the buffer to break into the DNS server. | Update DNS server. | Intruder gains root access on your name server, or disrupts normal operation of your name server. |
| 193 | 2000416 | DNS null | | 0 | -1 | 2 | | Intrusion | Intruder is sending empty DNS packets to the system for an unknown reason. | Update DNS server. | Intruder disrupts normal operation of your name server. |
| 194 | 2000417 | DNS BIND version request | | 0 | -1 | 1 | | Scan | Intruder is requesting the version number of a BIND DNS server. | Filter IP address from attacking source. | Intruder gains information about server vulnerabilities. |
| 195 | 2000501 | SMB malformed | | s20 | -1 | 3 | | DoS attempt | Attacker attempts to crash the machine through the SMB service. | Update operating system. | System crashes. |
| 196 | 2000502 | SMB empty password | | s20 | -1 | 1 | | Possible intrusion | Attacker makes a successful connection to an SMB server with an empty password. | Patch/upgrade SMB server. | Attackers can access the entire system. |
| 197 | 2000503 | SMB I/O using printer share | | IP|s20 | -1 | 2 | | Possible intrusion | Older versions of Windows 95 would allow an attacker to access an entire system if printer sharing was enabled. | Disable printer sharing on all Windows 95 systems that are older than the OSR-2 release, or upgrade to OSR-2 or Windows 98. | Attackers can access the entire system. |
| 198 | 2000504 | SMB password overflow | | IP|s20 | -1 | 3 | | DoS or intrusion | Attacker attempts to break into the SMB server by using a very long password. | Update operating system. | Attacker attempts to crash or break into a SMB server. |
| 199 | 2000505 | SMB file name overflow | | s20 | -1 | 3 | | Intrusion | A file name is excessively long; this may be an attempt to overflow a buffer and gain unauthorized access to a system. | Update operating system. | Intruder gains unauthorized access to system. |
| 200 | 2000506 | SMB Unicode file name overflow | | s20 | -1 | 3 | | Intrusion | A file name is excessively long; this may be an attempt to overflow a buffer and gain unauthorized access to a system. | Update operating system. | Intruder gains unauthorized access to system. |
| 201 | 2000507 | SMB unencrypted password | | s20 | -1 | 3 | | Protocol violation | An unencrypted password was transmitted to a server which requested the use of an encrypted password. | Upgrade OS software. | Attacker retrieves user account and clear text password by sniffing wire. |
| 202 | 2000601 | HTTP URL overflow | 0 | agg | -1 | 1 | | Possible intrusion | Probable buffer overflow attempt on server URL. | Update HTTP server software. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 203 | 2000602 | HTTP cgi starting with php | 0 | agg | -1 | 2 | | Intrusion attempt | A specially constructed URL starting with php and ending with cgi may allow undesirable access to the system. | Update HTTP server software. | Attackers can execute commands on system. |
| 204 | 2000603 | HTTP URL contains ../../../.. | 0 | agg | -1 | 2 | | Intrusion attempt | An intruder may be attempting to access files in a directory which is not intended to be viewable. | Update HTTP server software. | Attackers can access files and directories above the virtual web root. |
| 205 | 2000604 | HTTP asp with . appended | 0 | agg | -1 | 2 | | Intrusion attempt | A specially constructed URL may allow access to a Web page source code on the server. | Update HTTP server software. | Attackers can access files which may contain user ids and passwords. |
| 206 | 2000605 | HTTP cgi with ~ appended | 0 | agg | -1 | 2 | | Intrusion attempt | Attacker attempts to access a cgi backup file. | Update HTTP server software. | Attackers can access files and directories from the virtual web root. |
| 207 | 2000606 | HTTP URL has many slashes | 0 | agg | -1 | 2 | | Intrusion attempt | Attacker uses a URL containing large number of slashes; this is a probable attempt to crash a system. | Update HTTP server software. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 208 | 2000607 | HTTP URL with ::$DATA appended | 0 | agg | -1 | 2 | | Intrusion attempt | This URL may allow the attacker to read the source code for server programs. | Upgrade server software; review scripts to remove such hidden information. | Attacker reads script source code. |
| 209 | 2000608 | HTTP GET data overflow | 0 | agg | -1 | 1 | | Possible intrusion | A URL containing a very long data string was detected; this may indicate an intrusion attempt. | No known defense. The URL may be legitimate. | An intruder may be gathering information which could be useful to setup a later attack. |
| 210 | 2000609 | HTTP GET data contains ../../../.. | 0 | agg | -1 | 2 | | Possible intrusion | The data passed to a URL has a suspicious pathname which might be used to access privileged files. | No known defense. The data may be legitimate. | An intruder may be accessing privileged information. |
| 211 | 2000610 | HTTP URL with blank appended | 0 | agg | -1 | 2 | | Intrusion attempt | This URL may allow the attacker to read the source code for server programs. | Upgrade server software. | Attacker reads script source code. |
| 212 | 2000611 | HTTP GET data with repeated char | 0 | agg | -1 | 2 | | Intrusion attempt | The data passed to a URL contains the same character repeated many times; this often signals a buffer overflow attempt. | Attacker attempts to overflow a buffer on the server. | Intruder may be attempting to break-in. |
| 213 | 2000612 | IIS Double-Byte Code attempt | 0 | agg | -1 | 2 | | Intrusion attempt | This URL may allow the attacker to read the source code for server programs. | Upgrade server software. | Attacker reads script source code. |
| 214 | 2000613 | HTTP HOST: repeated many times | 0 | IP|s20 | -1 | 2 | | Denial of service | An attacker is attempting to crash a Web server by sending many HOST: commands. | Upgrade Web server. | System hangs. |
| 215 | 2000614 | HTTP URL contains ~ | 0 | agg|s20 | -1 | 1 | | Intrusion attempt | This URL may allow the attacker to read a file which he is not permitted to read. | Upgrade server. | Attacker reads restricted URL. |
| 216 | 2000615 | HTTP ACCEPT: field overflow | 0 | IP | -1 | 3 | | Denial of service | An attacker is attempting to crash a Web server by sending a very long ACCEPT: command | Upgrade Web server. | Service crashes. |
| 217 | 2000616 | HTTP URL contains /./ | 0 | agg | -1 | 2 | | Detection avoidance | An attacker has sent a URL with a path component of /./ | No known defense. The data may be legitimate. | Intruder may be trying to avoid detection. |
| 218 | 2000617 | HTTP URL contains /... | 0 | agg | -1 | 2 | | Detection avoidance | An attacker has sent a URL with a path component of /à | No known defense. The data may be legitimate. | An intruder may be accessing privileged information. |
| 219 | 2000618 | HTTP GET data contains /... | 0 | agg | -1 | 2 | | Possible intrusion | The data passed to a URL has a suspicious pathname which might be used to access privileged files. | No known defense. The data may be legitimate. | An intruder may be accessing privileged information. |
| 220 | 2000619 | HTTP URL scan | 0 | IP | -1 | 4 | | Scan | An attacker is testing various vulnerable URLs to see which ones exist on a server. | Filter IP address from attacking source. | An intruder may subsequently attempt to gain unauthorized access. |
| 221 | 2000620 | Whisker URL fingerprint | 0 | IP | -1 | 3 | | Scan | The Whisker program is being used to scan a Web server for vulnerable programs. | Filter IP address from attacking source. | An intruder may subsequently attempt to gain unauthorized access. |
| 222 | 2000621 | Web site copying | 0 | agg | -1 | 3 | | Web site abuse | Excessive URL accesses have occurred from a particular IP address. | Filter IP address from attacking source. | An intruder may be copying a Web site. |
| 223 | 2000622 | HTTP Authentication overflow | 0 | IP | -1 | 3 | | Possible intrusion | An attacker is attempting to break into a Web server by sending a very long Authentication string. | Filter IP address from attacking source. | An intruder may be accessing privileged information. |
| 224 | 2000623 | HTTP POST data contains ../../../.. | 0 | agg | -1 | 2 | | Possible intrusion | The data in a form field has a suspicious pathname which might be used to access privileged files. | No known defense. The data may be legitimate. | An intruder may be accessing privileged information. |
| 225 | 2000624 | HTTP POST data contains /... | 0 | agg | -1 | 2 | | Detection avoidance | The data in a form field has a suspicious pathname which might be used to access privileged files. | No known defense. The data may be legitimate. | An intruder may be accessing privileged information. |
| 226 | 2000625 | HTTP URL with repeated char | 0 | agg | -1 | 2 | | Intrusion attempt | The URL name contains the same character repeated many times; this often signals a buffer overflow attempt. | No known defense. The data may be legitimate. | Intruder may be attempting to break-in. |
| 227 | 2000626 | HTTP POST data with repeated char | 0 | agg | -1 | 2 | | Intrusion attempt | The data passed to a URL contains the same character repeated many times; this often signals a buffer overflow attempt. | Attacker attempts to overflow a buffer on the server. | Intruder may be attempting to break-in. |
| 228 | 2000627 | HTTP URL bad hex code | 0 | agg | -1 | 2 | | Intrusion attempt | The URL name contains an illegal %xx hex encoding. | Filter IP address from attacking source. | An intruder may be accessing privileged information. |
| 229 | 2000628 | HTTP URL contains %00 | 0 | agg | -1 | 2 | | Intrusion attempt | The URL name contains a %00 hex encoding - this may fool the Web server to allow an illegitimate URL. | Filter IP address from attacking source. | An intruder may be accessing privileged information. |
| 230 | 2000629 | HTTP User-Agent overflow | 0 | 0 | -1 | 2 | | Intrusion attempt | The User-Agent field is too long, indicating a possible overflow attempt. | Verify proper server configuration. | An intruder may execute his own code on the attacked system. |
| 231 | 2000630 | HTTP asp with \ appended | 0 | agg | -1 | 2 | | Intrusion attempt | A specially constructed URL may allow access to a Web page source code on the server. | Update HTTP server software. | Attackers can access files which may contain user ids and passwords. |
| 232 | 2000701 | POP3 user name overflow | 0 | IP | -1 | 2 | | Intrusion attempt | Attacker attempts to break in using a long user name. This may be an intentional effort to overflow a buffer on a server. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 233 | 2000702 | POP3 password overflow | 0 | IP | -1 | 2 | | Intrusion attempt | Attacker attempts to break in using a long password. This may be an intentional effort to overflow a buffer on a server. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 234 | 2000703 | POP3 MIME file name overflow | 0 | agg | -1 | 2 | | Intrusion attempt | Attacker attempts to exploit the MIME overflow bug. This may be an intentional effort to overflow a buffer on a server. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 235 | 2000704 | POP3 command overflow | 0 | IP | -1 | 2 | | Intrusion attempt | Attacker submits an unusually long command to attempt to break in, or shutdown a server. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 236 | 2000705 | POP3 AUTH overflow | 0 | IP | -1 | 2 | | Intrusion attempt | Attacker attempts to break in using a long authentication string. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 237 | 2000801 | IMAP4 user name overflow | 0 | IP | -1 | 2 | | Intrusion attempt | Attacker attempts to break in using a long user name. This may be an intentional effort to overflow a buffer on a server. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 238 | 2000802 | IMAP4 password overflow | 0 | IP | -1 | 2 | | Intrusion attempt | Attacker attempts to break in using a long password. This may be an intentional effort to overflow a buffer on a server. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 239 | 2000803 | IMAP4 authentication overflow | 0 | IP | -1 | 2 | | Intrusion attempt | Probable attempt to break-in using a buffer overflow. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 240 | 2000804 | IMAP4 command overflow | 0 | IP | -1 | 2 | | Intrusion attempt | Attacker submits an unusually long command to attempt to break in, or shutdown a server. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 241 | 2000901 | Telnet abuse | 0 | agg | -1 | 2 | | Possible intrusion | Attacker is probably using Telnet to directly connect to SMTP, POP, IMAP, HTTP, or FTP. | None without an intrusion countermeasure system. An attacker using Telnet appears exactly as a legitimate connection, except for the time between keystrokes. Normal services do not contain the advanced heuristics necessary to detect this activity. | Locates and exploits holes in services. Hackers use Telnet to probe a system for weaknesses. |
| 242 | 2000902 | Telnet login name overflow | 0 | IP | -1 | 2 | | Possible intrusion | Attacker attempts to break in using a buffer overflow against the login name field. | Patch/upgrade Telnet software. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 243 | 2000903 | Telnet password overflow | 0 | IP | -1 | 2 | | Possible intrusion | Attacker attempts to break in using a buffer overflow against the password field. | Patch/upgrade Telnet software. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 244 | 2000904 | Telnet terminal type overflow | 0 | IP | -1 | 2 | | Possible intrusion | Attacker attempts to break in using a buffer overflow against the terminal-type Telnet option. | Patch/upgrade Telnet software. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 245 | 2001001 | SMTP pipe in mail address | 0 | agg | -1 | 2 | | Intrusion attempt | Attacker passes shell commands to the server via the e-mail handling service. | Upgrade mail server to patch this known vulnerability. | Compromises the mail server. |
| 246 | 2001002 | SMTP DEBUG command | 0 | agg | -1 | 1 | | Intrusion attempt | This was the hack used in the Morris Worm of 1988; it is unlikely that any system is vulnerable today. | Upgrade mail server to patch this known vulnerability. | Compromises mail servers. |
| 247 | 2001003 | SMTP login name overflow | 0 | agg | -1 | 2 | | Intrusion attempt | Buffer overflow attempt; this may be an intentional effort to overflow a buffer on a server. | Upgrade mail server to patch this known vulnerability. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 248 | 2001004 | SMTP EXPN command | 0 | agg | -1 | 1 | | Scan | The SMTP EXPN command provides information about users on a system; an intruder may use this to setup a later attack. | Reconfigure web server to ignore EXPN command. | An intruder may be gathering information which could be useful to setup a later attack. |
| 249 | 2001005 | SMTP VRFY command | 0 | agg | -1 | 1 | | Scan | The SMTP VRFY command provides information about users on a system; an intruder may use this information to setup a later attack. | Reconfigure web server to ignore VRFY command. | An intruder may be gathering information which could be useful to setup a later attack. |
| 250 | 2001006 | SMTP WIZ command | 0 | agg | -1 | 1 | | Intrusion attempt | This was the hack used in the Morris Worm of 1988; it is unlikely that any system is vulnerable today. | Upgrade mail server to patch this known vulnerability. | Compromises mail servers. |
| 251 | 2001007 | SMTP Too many recipients | 0 | IP | -1 | 3 | | DoS attempt against mail service | A large number of recipients have been specified for a single email. This may indicate a spammer. | Update mail server software. | Relays spam through your e-mail server, overloading your network connection and server. |
| 252 | 2001008 | SMTP corrupted MAIL command | 0 | agg | -1 | 2 | | Intrusion attempt | Intruder is trying to hack the mail service by sending invalidly formatted commands. | Upgrade mail server to patch this known vulnerability. | Compromises mail servers. |
| 253 | 2001009 | SMTP email name overflow | 0 | IP | -1 | 2 | | Intrusion | Intruder is attempting to gain control of the e-mail service through a buffer overflow in the MAIL FROM command. | Update mail server software. | Intruder gains unauthorized access to system. |
| 254 | 2001010 | SMTP corrupted RCPT command | 0 | agg | -1 | 2 | | Intrusion attempt | Intruder is attempting to gain control of the e-mail service through a buffer overflow in the RCPT TO command. | Upgrade mail server to patch this known vulnerability. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 255 | 2001011 | SMTP relay attempt | 0 | 0 | -1 | 3 | | Email abuse | Attacker is trying to relay mail through your SMTP mail service. | Turn off relaying. | Relays spam through your e-mail server, overloading your network connection and server, as well as hiding the source of the spam behind your server. |
| 256 | 2001012 | SMTP command overflow | 0 | agg | -1 | 2 | | Intrusion attempt | Attacker submits an unusually long command to attempt to break in, or shutdown a server. | Upgrade mail server to patch this known vulnerability. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 257 | 2001013 | SMTP mail to decode alias | 0 | agg | -1 | 2 | | Intrusion | Intruder tries to execute code on the server using an old email alias. | Disable the DECODE alias, then update mail server software. | In some systems this may be used to overwrite the /etc/passwd file, or other critical files, thus compromising the system. |
| 258 | 2001014 | SMTP mail to uudecode alias | 0 | agg | -1 | 2 | | Intrusion | Intruder tries to execute code on the server using an old email alias. | Disable the UUDECODE alias, then update mail server software. | Intruder gains control of the system. |
| 259 | 2001015 | SMTP too many errors | 0 | agg | -1 | 3 | | Spamming | The SMTP server has issued too many error responses. This probably indicates that a spammer is trying to misuse the email system. | No known defense. | Relays spam through your e-mail server, overloading your network connection and server, as well as hiding the source of the spam behind your server. |
| 260 | 2001016 | SMTP MIME file name overflow | 0 | agg | -1 | 3 | | Intrusion attempt | This may be an intentional effort to overflow a buffer on a server. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 261 | 2001017 | SMTP uucp-style recipient | 0 | agg | -1 | 3 | | Spam attempt | An old uucp-style mail recipient name (using %) was seen. | Install a patch from your vendor. | Intruder may be attempting to bypass spam filters to send unauthorized email. |
| 262 | 2001018 | SMTP encapsulated relay | 0 | 0 | -1 | 3 | | Spam attempt | An encapsulated email address of the form <"target@destination.com"@relay.host.name> was seen. | Install a patch from your vendor. | Intruder may be attempting to bypass spam filters to send unauthorized email. |
| 263 | 2001019 | STMP encapsulated Exchange relay | 0 | 0 | -1 | 3 | | Spam attempt | An encapsulated email address of the form <IMCEASMTP-user+40destination+2Ecom@relay.com> was seen. | Install a patch from your vendor. | Intruder may be attempting to bypass spam filters to send unauthorized email. |
| 264 | 2001020 | SMTP mail to rpmmail alias | 0 | agg | -1 | 2 | | Intrusion | Intruder tries to execute code on the server using an email alias. | Upgrade to newest email server. | Intruder gains control of the system. |
| 265 | 2001021 | SMTP MIME name overflow | 0 | agg | -1 | 3 | | Intrusion attempt | This may be an intentional effort to overflow a buffer on a server. | Install a patch from your vendor. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 266 | 2001101 | Finger | 0 | 0 | -1 | 0 | | Scan | Attacker can see which users are connected. This information can be extremely useful for hacking into the system at a later time. | Disable finger service. | Attacker finds out who is logged on, and gets information about users. |
| 267 | 2001102 | Finger forwarding | 0 | IP | -1 | 2 | | Scan | Attacker attempts to use the finger service to forward a finger request to another system. | Disable finger service. | Attacker finds out who is logged on, and gets information about users on another system. |
| 268 | 2001103 | Finger forwarding overflow | 0 | IP | -1 | 2 | | Intrusion attempt | Attacker attempts to forward a very long finger command. | Upgrade operating system. Disable finger services. | Attacker overloads the system using finger commands. |
| 269 | 2001104 | Finger command | 0 | 0 | -1 | 1 | | Intrusion attempt | Attacker attempts to execute a remote command using a finger server. | Upgrade operating system. Disable finger services. | Attacker may collect information on users of the system. |
| 270 | 2001201 | TFTP file not found | 0 | 0 | -1 | 2 | | Possible intrusion | A TFTP file was not found. This may be a configuration problem, or may indicate an illegitimate use of the TFTP command. | Do not enable TFTP on system unless absolutely necessary. | An attacker is prowling around your system. |
| 271 | 2001202 | TFTP file name overflow | 0 | 0 | -1 | 2 | | Intrusion attempt | A TFTP file was very long. This indicates a possible attempt by a hacker to break-in to a server. | Upgrade TFTP server. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 272 | 2001301 | FTP invalid PORT command | 0 | agg | -1 | 2 | | Possible intrusion | The FTP PORT command cannot be recognized. This may indicate an attempt to crash or break in to the server. | No known defense. | An attacker is prowling around your system. |
| 273 | 2001302 | FTP PORT bounce to other system | 0 | IP | -1 | 2 | | Possible intrusion | The FTP PORT command was used to setup an FTP transfer to another system. | Ensure that your FTP server software cannot establish connections to arbitrary machines. | An attacker establishes a connection between the FTP server machine and an arbitrary port on another system. This connection may be used to bypass access controls that would otherwise apply. |
| 274 | 2001303 | FTP PORT restricted | 0 | 0 | -1 | 2 | | Possible intrusion | The FTP PORT command was used to setup an FTP transfer to a well-known port number. | Ensure that your FTP server software cannot establish connections to arbitrary machines. | An attacker establishes a connection between the FTP server machine and a well-known port on another system. This connection may be used to bypass access controls that would otherwise apply. |
| 275 | 2001304 | FTP CWD ~root command | 0 | agg | -1 | 2 | | Intrusion attempt | Attacker has attempted to connect to the FTP server as the root user. | Upgrade FTP server to patch this known bug. | Exploits a bug in FTP servers that gains access to the entire FTP server. |
| 276 | 2001305 | FTP SITE EXEC command | 0 | agg | -1 | 2 | | Intrusion attempt | Attacker has attempted to execute a command on the FTP server. | Upgrade FTP server to patch this known bug. | Exploits a bug in FTP servers that gains access to the entire FTP server. |
| 277 | 2001306 | FTP user name overflow | 0 | IP | -1 | 3 | | Intrusion attempt | Buffer overflow attempt. | Upgrade FTP server to patch this known bug. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 278 | 2001307 | FTP password overflow | 0 | IP | -1 | 3 | | Intrusion attempt | Buffer overflow attempt. | Upgrade FTP server to patch this known bug. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 279 | 2001308 | FTP CWD directory overflow | 0 | agg | -1 | 3 | | Intrusion attempt | Buffer overflow attempt. | Upgrade FTP server to patch this known bug. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 280 | 2001309 | FTP file name overflow | 0 | 0 | -1 | 3 | | Intrusion attempt | Buffer overflow attempt; this may be an intentional effort to overflow a buffer on a server. | Upgrade FTP server to patch this known bug. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 281 | 2001310 | FTP command line overflow | 0 | 0 | -1 | 3 | | Intrusion attempt | Attacker submits an unusually long command to attempt to break in, or shutdown a server. | Upgrade FTP server to patch this known bug. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 282 | 2001311 | FTP pipe in filename | 0 | 0 | -1 | 3 | | Intrusion attempt | Attacker is attempting to execute code on the server. | Upgrade FTP server to patch this known bug. | Attacker has full access to your machine. |
| 283 | 2001312 | FTP MKD directory overflow | 0 | agg | -1 | 3 | | Intrusion attempt | Buffer overflow attempt. | Upgrade FTP server to patch this known bug. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 284 | 2001313 | ProFTPD snprintf exploit | 0 | IP | -1 | 3 | | Intrusion attempt | Attacker attempts to break into the ProFTPD service. | Upgrade FTP server to patch this known bug. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 285 | 2001314 | FTP SITE PSWD exploit | 0 | IP | -1 | 3 | | Denial of service | Attacker attempts to crash the Serv-U FTP-Server. | Upgrade FTP server to patch this known bug. | Intruder constructs data in a particular way to crash the FTP server. |
| 286 | 2001315 | FTP compress exec exploit | 0 | agg | -1 | 3 | | Intrusion attempt | Attacker attempts to execute code on a system running an FTP server. | Upgrade FTP server to patch this known bug. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 287 | 2001316 | FTP file exec exploit | 0 | agg | -1 | 3 | | Intrusion attempt | Attacker attempts to execute code on a system running an FTP server. | Upgrade FTP server to patch this known bug. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 288 | 2001401 | RWHO host name overflow | 0 | 0 | -1 | 3 | | Intrusion attempt | Buffer overflow attempt; this may signal an intentional effort to overflow a buffer on a server. | Upgrade RWHO server to patch this known bug. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 289 | 2001501 | Back Orifice scan seen | 0 | 0 | -1 | 3 | | Intrusion attempt | BackOrifice is a Trojan horse application that allows remote administration. Remove BackOrifice IMMEDIATELY from your system. | Never run programs given to you by untrustworthy people. Turn off file sharing when on the Internet. | Attacker has full access to your machine. |
| 290 | 2001502 | NetBus response | E | IP | -1 | 4 | | Intrusion | NetBus is a Trojan horse application that allows remote administration. Remove NetBus immediately from your system. | Never run programs given to you by untrustworthy people. Turn off file sharing when on the Internet. | Attacker has full access to your machine. |
| 291 | 2001503 | Quake backdoor | 0 | IP | -1 | 3 | | Intrusion attempt | Attacker attempts to connect to a Quake server using a backdoor. | Upgrade Quake to current version to patch this known bug. | Intruder is able to execute his own code on the attacked system. |
| 292 | 2001504 | HP Remote watch | 0 | 0 | -1 | 2 | | Possible intrusion | An intruder attempts to connect to the HP Remote Watch program. | Remote Watch package is a system management tool whose capabilities have been largely incorporated in the System Administration Manager (SAM). These files cannot be patched but should be removed as recommended in the HP Security Advisory #9610-039. | Attacker can add or change privileged system files that then compromise system security and gain root access or destroy files. |
| 293 | 2001505 | Back Orifice response | E | IP|port | -1 | 4 | | Intrusion | An intruder is using the BackOrifice application to remotely control your system. Remove BackOrifice IMMEDIATELY from your system. | Use anti-virus software to remove BackOrifice from the system. | Intruder gains control of the system. |
| 294 | 2001506 | Back Orifice ping | 0 | 0 | -1 | 2 | | Intrusion attempt | Intruder attempts to see if you have the BackOrifice application installed. | Filter IP address from attacking source. | BackOrifice can give an attacker full access to a system. If an attacker discovers a known Trojan horse application on your system, such as BackOrifice, then he can use the application to break into your system and the network. |
| 295 | 2001507 | PCAnywhere ping | 0 | 0 | -1 | 0 | | Scan | An intruder sends a special ping to the system to determine whether the PCAnywhere application is available. | Select a good password to prevent undesired access to your system. | Someone is probing the system. |
| 296 | 2001508 | ISS scan | 0 | agg | -1 | 2 | | Scan | An intruder is using the ISS Internet Scanner to probe your system for weaknesses. | Install dynamic filters that can selectively stop these scans. | Attacker finds vulnerabilities that can be exploited. |
| 297 | 2001509 | ISS UDP scan | 0 | agg | -1 | 2 | | Scan | An intruder is using the ISS Internet Scanner to probe your system for weaknesses. | Install dynamic filters that can selectively stop these scans. | Attacker finds vulnerabilities that can be exploited. |
| 298 | 2001510 | Cybercop FTP scan | 0 | agg | -1 | 2 | | Scan | An intruder is using the Network Associates Cybercop Scanner to probe your system for weaknesses. | Install dynamic filters that can selectively stop these scans. | Attacker finds vulnerabilities that can be exploited. |
| 299 | 2001511 | WhatsUp scan | 0 | agg | -1 | 2 | | Scan | An intruder is using the WhatsUp product by Ipswitch to probe your system for weaknesses. | Install dynamic filters that can selectively stop these scans. | Attacker finds vulnerabilities that can be exploited. |
| 300 | 2001512 | Back Orifice 2000 ping | 0 | 0 | -1 | 3 | | Intrusion attempt | Intruder attempts to see if you have BackOrifice 2000 installed. | Filter IP address from attacking source. | BackOrifice can give an attacker full access to a system. If an attacker discovers a known Trojan horse application on your system, such as BackOrifice, then he can use the application to break into your system and the network. |
| 301 | 2001513 | Back Orifice 2000 auth | 0 | IP|port | -1 | 4 | | Intrusion | An intruder is using BackOrifice to remotely control your system. Remove BackOrifice IMMEDIATELY from your system. | Use anti-virus software to remove the BackOrifice application from the system. | Intruder gains control of the system. |
| 302 | 2001514 | Back Orifice 2000 command | 0 | IP|port | -1 | 4 | | Intrusion | An intruder is using BackOrifice to remotely control your system. Remove BackOrifice IMMEDIATELY from your system. | Use anti-virus software to remove the BackOrifice application from the system. | Intruder gains control of the system. |
| 303 | 2001515 | Back Orifice 2000 response | E | IP|port | -1 | 4 | | Intrusion | An intruder is using BackOrifice to remotely control your system. Remove BackOrifice IMMEDIATELY from your system. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 304 | 2001516 | Trojan horse response | E | IP|port | -1 | 4 | | Intrusion | Data is being sent from a trojan horse program to an intruder. | Filter IP address from attacking source. | Intruder gains control of the system. |
| 305 | 2001517 | Scan by sscan program | 0 | agg | -1 | 3 | | Scan | The sscan program is being used to probe your system for vulnerabilities. | Install dynamic filters that can selectively stop these scans. | Attacker finds vulnerabilities that can be exploited. |
| 306 | 2001518 | phAse Zero trojan horse activity | 0 | IP|port | -1 | 4 | | Intrusion | Data is being sent from a trojan horse program to an intruder. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 307 | 2001519 | SubSeven trojan horse activity | 0 | IP|port | -1 | 4 | | Intrusion | Data is being sent from a trojan horse program to an intruder. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 308 | 2001520 | GateCrasher trojan horse activity | 0 | IP|port | -1 | 4 | | Intrusion | Data is being sent from a trojan horse program to an intruder. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 309 | 2001521 | GirlFriend trojan horse activity | 0 | IP|port | -1 | 4 | | Intrusion | Data is being sent from a trojan horse program to an intruder. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 310 | 2001522 | EvilFTP trojan horse activity | 0 | IP|port | -1 | 4 | | Intrusion | Data is being sent from a trojan horse program to an intruder. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 311 | 2001523 | NetSphere trojan horse activity | 0 | IP|port | -1 | 4 | | Intrusion | Data is being sent from a trojan horse program to an intruder. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 312 | 2001524 | Trinoo master activity | 0 | agg | -1 | 2 | | Trojan horse scan | Your system is being scanned for the Trinoo trojan horse program. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 313 | 2001525 | Trinoo daemon activity | 0 | IP|port | -1 | 4 | | Intrusion | Data is being sent from a trojan horse program to an intruder. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 314 | 2001526 | NMAP ping | 0 | agg | -1 | 3 | | Scan | The NMAP program is being used to probe your system for vulnerabilities. | Install dynamic filters that can selectively stop these scans. | Attacker finds vulnerabilities that can be exploited. |
| 315 | 2001527 | NetSphere client | 0 | 0 | -1 | 1 | | Note | NetSphere client activity has been seen. | Somebody on your network is running the client. | Intruder can run commands on your system. |
| 316 | 2001528 | Mstream agent activity | 0 | IP|port | -1 | 4 | | Intrusion | Data is being sent from a trojan horse program to an intruder. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 317 | 2001529 | Mstream handler activity | 0 | agg | -1 | 2 | | Trojan horse scan | Your system is being scanned for the Mstream trojan horse program. | Use anti-virus software to remove the trojan horse application from the system. | Intruder gains control of the system. |
| 318 | 2001601 | FTP login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple FTP login failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 319 | 2001602 | HTTP login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple HTTP authentication failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 320 | 2001603 | IMAP4 login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple IMAP4 login failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 321 | 2001604 | POP3 login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple POP3 login failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 322 | 2001605 | RLOGIN login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple RLogin login failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 323 | 2001606 | SMB login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple SMB login failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 324 | 2001607 | SQL login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple SQL login failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 325 | 2001608 | Telnet login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple Telnet login failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 326 | 2001609 | SMTP login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple SMTP login failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 327 | 2001610 | PCAnywhere login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple PCAnywhere login failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 328 | 2001611 | SOCKS login failed | B | agg | -1 | 1 | | Possible intrusion | Multiple SOCKS login failures using bad user names and/or passwords were detected. | There is no defense for this type of intrusion. | An attacker is prowling around your system. Subsequent attempts may be successful. |
| 329 | 2001701 | rpc.automountd overflow | 0 | 0 | -1 | 3 | | Intrusion | Intruder is attempting to exploit the automountd buffer overflow. | Update operating system. | Intruder gains unauthorized access to the system. |
| 330 | 2001702 | rpc.statd overflow | 0 | 0 | -1 | 3 | | Intrusion | Intruder is attempting to exploit the statd buffer overflow. | Update operating system. | Intruder gains unauthorized access to the system. |
| 331 | 2001703 | rpc.tooltalkd overflow | 0 | 0 | -1 | 3 | | Intrusion | Intruder is attempting to exploit the buffer overflow weakness in ToolTalk. | Update operating system. | Intruder gains unauthorized access to the system. |
| 332 | 2001704 | rpc.admind auth | 0 | 0 | -1 | 3 | | Intrusion | The remote administration of Solaris machines was attempted without proper authentication. | Update operating system. | Scans for Solaris remote administration vulnerability. |
| 333 | 2001705 | rpc.portmap dump | 0 | 0 | -1 | 2 | | Scan | Attacker scans the RPC service to determine which services are running and the version of those services. | Disable portmapper/rpcbind access from the Internet. | Attacker finds older RPC-based programs that can be further exploited. |
| 334 | 2001706 | rpc.mountd overflow | 0 | 0 | -1 | 3 | | Intrusion | Intruder is attempting to exploit the mountd buffer overflow. | Update operating system. | Intruder gains unauthorized access to system. |
| 335 | 2001707 | rpc.nfs/lockd attack | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to bypass NFS security by tunneling through lockd port 4045. | Update operating system. | Intruder gains unauthorized access to system. |
| 336 | 2001708 | rpc.portmap.set | 0 | 0 | -1 | 3 | | Intrusion attempt | Intruder is attempting to setup a service remotely; this might be exploited at a later time. | Patch/upgrade RPC services. | Attempts to send mountd commands to Portmap port. |
| 337 | 2001709 | rpc.portmap.unset | 0 | 0 | -1 | 3 | | Intrusion attempt | Intruder is attempting to reset a service remotely. | Patch/upgrade RPC services. | An intruder may be setting up the system for a later attack. |
| 338 | 2001710 | rpc.pcnfs backdoor | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to use a backdoor in the PCNFS service to access remote files. | Update operating system. | Intruder gains unauthorized access to system. |
| 339 | 2001711 | rpc.statd dotdot file create | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to access a privileged part of the file system. | Install filters to stop this attack, or upgrade systems to newer versions that specifically defend against this type of attack. | The attacker can read all files on the system. |
| 340 | 2001712 | rpc.ypupdated command | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to use the ypupdated command to execute arbitrary commands on the server. | The workaround is to disable rpc.ypupdated and contact the vendor for a patch. | Intruder gains unauthorized access to the system. |
| 341 | 2001713 | rpc.nfs uid is zero | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to set the bottom 16 bits of a 32-bit user-id to zero. This is done so the intruder can then improperly login as root. | Update operating system. | Intruder gains unauthorized access to the system. |
| 342 | 2001714 | rpc.nfs mknod | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to execute mknod command on remote system. | Update operating system. | Intruder gains unauthorized access to the system. |
| 343 | 2001715 | rpc.nisd long name | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to overflow an NIS+ buffer on a remote system. | Update operating system. | Intruder gains unauthorized access to the system. |
| 344 | 2001716 | rpc.statd with automount | 0 | 0 | -1 | 3 | | Intrusion | Attacker is using the statd service to execute an automount command on the local system. | Update operating system. | Intruder gains unauthorized access to the system. |
| 345 | 2001717 | rpc.cmsd overflow | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to overflow a buffer in the Calendar Manager service. | Update operating system. | Intruder gains unauthorized access to the system. |
| 346 | 2001718 | rpc.amd overflow | 0 | 0 | -1 | 3 | | Intrusion | Intruder is attempting to exploit the automountd buffer overflow. | Update operating system. | Intruder gains unauthorized access to the system. |
| 347 | 2001719 | RPC bad credentials | 0 | 0 | -1 | 3 | | Intrusion | Intruder is attempting to bypass authentication. | Update operating system. | Intruder gains unauthorized access to the system. |
| 348 | 2001720 | RPC suspicious credentials | 0 | 0 | -1 | 3 | | Intrusion | Intruder is attempting to bypass authentication. | Update operating system. | Intruder gains unauthorized access to the system. |
| 349 | 2001721 | RPC getport probe | 0 | 0 | -1 | 2 | | Scan | Intruder is scanning for a service to break into. | Be cautious. | Intruder finds out information about the system. |
| 350 | 2001722 | rpc.sadmind overflow | 0 | 0 | -1 | 3 | | Intrusion | Intruder is attempting to exploit the sadmind buffer overflow. | Update operating system. | Intruder gains unauthorized access to the system. |
| 351 | 2001801 | IRC buffer overflow | 0 | agg | -1 | 3 | | Intrusion | Intruder attempts to compromise the IRC service. | Update operating system. | Intruder gains unauthorized access to the system. |
| 352 | 2001901 | IDENT invalid response | 0 | agg | -1 | 3 | | Intrusion | Hostile server is attempting to exploit the identd client. | Update operating system. | Intruder gains unauthorized access to the system. |
| 353 | 2001902 | IDENT scan | 0 | agg | -1 | 2 | | Scan | Intruder is scanning systems with identd looking for possible user information. | Uninstall identd. | An intruder may be gathering information which could be useful to setup a later attack.. |
| 354 | 2001903 | IDENT suspicious ID | 0 | agg | -1 | 3 | | Intrusion | Hostile server is attempting to exploit the identd client. | Update operating system. | Intruder gains unauthorized access to the system. |
| 355 | 2002001 | SNMP Corrupt | 0 | 0 | -1 | 2 | | Possible intrusion | Attacker sends corrupted SNMP traffic. This may be designed to compromise the system. | Patch/upgrade SNMP software. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system; he may crash the system. |
| 356 | 2002002 | SNMP Crack | B | agg | -1 | 4 | | Intrusion | Attacker tries many different SNMP community strings (passwords) in an attempt to guess the SNMP access passwords. | Disable SNMP access, enable IP address filtering. | Attacker attempts to crack the system password. |
| 357 | 2002003 | SNMP backdoor | 0 | 0 | -1 | 3 | | Intrusion attempt | Intruder attempts to exploit a default backdoor in the network equipment. | Patch/upgrade SNMP services. | An intruder may be gathering information which could be useful to setup a later attack. |
| 358 | 2002004 | SNMP discovery broadcast | 0 | 0 | -1 | 2 | | Scan | Intruder is scanning systems to see whether SNMP is supported. | Patch/upgrade SNMP services. | An intruder may be gathering information which could be useful to setup a later attack. |
| 359 | 2002101 | Rlogin -froot backdoor | 0 | port | -1 | 3 | | Intrusion | The intruder tries to attack an older version of the Rlogin server which allows remote login as root without a password. | Update operating system. | Intruder gains unauthorized access to the system. |
| 360 | 2002102 | Rlogin login name overflow | 0 | IP|port | -1 | 3 | | Possible intrusion | Attacker attempts to break in using buffer overflow against the login name field. | Patch/upgrade Rlogin software. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 361 | 2002103 | Rlogin password overflow | 0 | IP|port | -1 | 3 | | Possible intrusion | Attacker attempts to break into the system using buffer overflow against the password field. | Patch/upgrade Rlogin software. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 362 | 2002201 | Melissa virus | 0 | 0 | -1 | 4 | | Email virus | An email containing the Melissa virus has been received. You should immediately delete this email | Immediately delete this email. | Indirectly, this virus could cause a denial of service on your mail server. |
| 363 | 2002202 | Papa virus | 0 | 0 | -1 | 4 | | Email virus | An email containing the Papa virus has been received. You should immediately delete this email | Immediately delete this email. | Indirectly, this virus could cause a denial of service on your mail server. |
| 364 | 2002203 | PICTURE.EXE virus | 0 | 0 | -1 | 4 | | Email virus | This virus sent an email; you should immediately rid your system of this virus. | Immediately delete this email. | This virus gathers password and other information and sends it to several e-mail addresses in China. |
| 365 | 2002204 | W97M.Marker.a virus | 0 | 0 | -1 | 4 | | FTP virus | This virus attempted an FTP transfer. | Immediately rid your system of this virus. | This macro virus will keep a log of the date/time of the infection and user information. When the payload in this virus activates on the 1st of the month, it will upload this information to an FTP site. |
| 366 | 2002205 | ExploreZip virus | 0 | 0 | -1 | 4 | | Email virus | This virus was received or sent via email. | Immediately rid your system of this virus. | This email virus will damage your files if you execute it. |
| 367 | 2002206 | Keystrokes monitored | D | 0 | -1 | 4 | | Intrusion | The Investigator program from WinWhatWhere is monitoring your keystrokes. | Uninstall program. | Keystrokes are monitored and emailed to another system. |
| 368 | 2002207 | PrettyPark worm | D | 0 | -1 | 4 | | IRC virus | This virus reveals sensitive information on various IRC channels. | Immediately rid your system of this virus. | This virus gathers password and other information and sends it to several IRC channels. |
| 369 | 2002208 | ILOVEYOU worm | 0 | 0 | -1 | 4 | | Email virus | An email containing the ILOVEYOU virus has been received. You should immediately delete this email | Immediately delete this email. | Indirectly, this virus could cause a denial of service on your mail server. |
| 370 | 2002301 | Duplicate IP address | 0 | 0 | -1 | 1 | | Possible intrusion | A duplicate IP address was detected; a system may be misconfigured, or an IP address has recently changed. | Check configuration of systems reporting that IP address. | Someone is probing the system. |
| 371 | 2002401 | NNTP name overflow | 0 | IP | -1 | 3 | | Intrusion attempt | The name field of a news posting is very long; this may indicate an attempt to overflow a buffer on the system. | Patch/upgrade NNTP services. | Intruder constructs data in a particular way and is able to execute his own code on the attacked system. |
| 372 | 2002402 | NNTP pipe seen | 0 | agg | -1 | 3 | | Intrusion attempt | A pipe symbol has been seen in an NNTP Control field; commands may be improperly executed on a server. | Patch/upgrade NNTP services. | Attacker gains access to news server. |
| 373 | 2002501 | bat URL type | 0 | agg | -1 | 3 | | Suspicious URL | Attacker attempts to execute a bat file which may have been misplaced in the cgi-bin directory. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 374 | 2002502 | cmd URL type | 0 | agg | -1 | 3 | | Suspicious URL | Attacker attempts to execute a cmd file which may have been misplaced in the cgi-bin directory. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 375 | 2002503 | CGI aglimpse | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 376 | 2002504 | CGI anyform2 | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 377 | 2002505 | CGI bash | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a Unix shell program. If successful, the hacker gains unintended access to the server. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 378 | 2002506 | CGI campas | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 379 | 2002507 | CGI convert.bas | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 380 | 2002508 | CGI csh | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a Unix shell program. If successful, the hacker gains unintended access to the server. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 381 | 2002509 | CGI faxsurvey | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 382 | 2002510 | CGI finger | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute the finger program; this may allow unintended access to the server. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 383 | 2002511 | CGI formmail | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 384 | 2002512 | CGI formmail.pl | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 385 | 2002513 | CGI glimpse | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 386 | 2002514 | CGI guestbook | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 387 | 2002515 | CGI guestbook.pl | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 388 | 2002516 | CGI handler | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 389 | 2002517 | CGI htmlscript | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 390 | 2002518 | CGI info2www | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 391 | 2002519 | CGI machineinfo | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 392 | 2002520 | CGI nph-test-cgi | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 393 | 2002521 | CGI perl | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute the perl program. This may allow unintended access to a server. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 394 | 2002522 | CGI perl.exe | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute the perl program. This may allow unintended access to a server. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 395 | 2002523 | CGI pfdispaly.cgi | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 396 | 2002524 | CGI phf | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 397 | 2002525 | CGI rguest.exe | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 398 | 2002526 | CGI wguest.exe | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 399 | 2002527 | CGI rksh | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a Unix shell program. If successful, the hacker gains unintended access to the server. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 400 | 2002528 | CGI sh | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a Unix shell program. If successful, the hacker gains unintended access to the server. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 401 | 2002529 | CGI tcsh | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a Unix shell program. If successful, the hacker gains unintended access to the server. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 402 | 2002530 | CGI test-cgi.tcl | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI script with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 403 | 2002531 | CGI test-cgi | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 404 | 2002532 | CGI view-source | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 405 | 2002533 | CGI webdist.cgi | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI script with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 406 | 2002534 | CGI webgais | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 407 | 2002535 | CGI websendmail | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 408 | 2002536 | CGI win-c-sample.exe | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 409 | 2002537 | CGI wwwboard.pl | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 410 | 2002538 | CGI uploader.exe | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 411 | 2002539 | CGI mlog.html | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI script with known weaknesses. | Update to a secure version of this file. | An intruder may read any arbitrary file on the system, including password and host files. |
| 412 | 2002540 | CGI mylog.html | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI script with known weaknesses. | Update to a secure version of this file. | An intruder may read any arbitrary file on the system, including password and host files. |
| 413 | 2002541 | CGI snork.bat | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 414 | 2002542 | CGI newdsn.exe | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder gains access, and may potentially crash the system. |
| 415 | 2002543 | FrontPage service.pwd | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a CGI program with known weaknesses. | Upgrade Front Page Server. | An intruder may be gathering information which could be useful to setup a later attack. |
| 416 | 2002544 | .bash.history URL | 0 | agg | -1 | 2 | | Suspicious URL | This file contains a history of shell commands, some of which may contain confidential information. | Patch Cobalt Qube/RaQ server. | An intruder may be gathering information which could be useful to setup a later attack. |
| 417 | 2002545 | .url URL type | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access a URL file. This may cause access to privileged information on the client system. | Patch browser software. | An intruder launches a program or an executable that could cause damage to a computer. |
| 418 | 2002546 | .lnk URL type | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access a lnk file. This may cause access to privileged information on a client's system. | Patch browser software. | An intruder launches a program or an executable that could cause damage to a computer. |
| 419 | 2002547 | WebStore admin URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the WebStore shopping cart administration directory. | Properly install shopping cart software. | An intruder may be gathering information which could be useful to setup a later attack. |
| 420 | 2002548 | Shopping cart order URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the Shopping cart order log file containing customer orders. | Properly install shopping cart software. | An intruder may be gathering information which could be useful to setup a later attack. |
| 421 | 2002549 | Order Form v1.2 data URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the Order Form log file containing customer orders. | Properly install shopping cart software. | An intruder may be gathering information which could be useful to setup a later attack. |
| 422 | 2002550 | Order Form data URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the Order Form log file containing customer orders. | Properly install shopping cart software. | An intruder may be gathering information which could be useful to setup a later attack. |
| 423 | 2002551 | EZMall data URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the EZMall customer order directory. | Properly install shopping cart software. | An intruder may be gathering information which could be useful to setup a later attack. |
| 424 | 2002552 | QuikStore configuration URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the QuikStore configuration file. | Properly install shopping cart software. | An intruder may be gathering information which could be useful to setup a later attack. |
| 425 | 2002553 | SoftCart password URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the SoftCart password file. | Properly install shopping cart software. | An intruder may be gathering information which could be useful to setup a later attack. |
| 426 | 2002554 | Cold Fusion sample URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the Cold Fusion sample file. This may cause unintended access to data. | Remove ColdFusion documentation, sample code, example applications and tutorials from production servers. Secure access to these files on workstations. | An intruder may be gathering information which could be useful to setup a later attack. |
| 427 | 2002555 | favicon.ico bad format | 0 | agg | -1 | 2 | | Suspicious file format | Downloaded ICON file is suspicious; it may be used to break into the system on which the browser is executing. | Upgrade web browser server. | Intruder gains access, and may potentially crash the system. |
| 428 | 2002556 | Site Server sample URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access a site configuration file which was installed as a sample file for Microsoft Site Server. | Remove sample files from server. | Intruder gains access, and may potentially crash the system. |
| 429 | 2002557 | IIS sample URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access a Microsoft IIS sample file. | Remove IIS sample files from server. | An intruder may be gathering information which could be useful to setup a later attack. |
| 430 | 2002558 | IIS password change | 0 | agg | -1 | 2 | | Suspicious URL | A password change was attempted using password change forms in the directory IISADMPWD. | Remove remote-password change feature if not needed. | An intruder may be attempting to log onto a system. |
| 431 | 2002559 | IIS malformed HTR request | 0 | agg | -1 | 3 | | Suspicious URL | A buffer overflow was attempted against a well-known weakness in Microsoft's Internet Information Server. | Update Web server. | Intruder gains access and may break-in or crash the system. |
| 432 | 2002560 | IIS data service query | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the Microsoft IIS remote data service. | Update Web server. | Intruder gains unauthorized access to the server. |
| 433 | 2002561 | .htaccess URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the HTML access control file. This file contains sensitive information. | Ensure permissions are correct for .htaccess file. | Intruder gains sensitive information. |
| 434 | 2002562 | passwd.txt URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the passwd.txt file. The passwd.txt file may contain encrypted passwords. | Restrict access to file. | Intruder gains access to password information. |
| 435 | 2002563 | NT system backup URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the system backup file in the Windows NT repair directory | Restrict access to file. | Intruder gains access to sensitive information. |
| 436 | 2002564 | CGI imagemap.exe | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to overflow the buffer of a CGI program with known weaknesses. | Remove file if not necessary for operation. If necessary, then update to a secure version. | Intruder potentially gains access to the system. |
| 437 | 2002565 | adpassword.txt URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the adpassword.txt file. The adpassword.txt file may contain an encrypted password. | Restrict access to file. | Intruder gains access to password information. |
| 438 | 2002566 | CGI whois suspicious field | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to use whois.cgi to execute a shell command on the server. | Update CGI program. | Intruder can access commands on the server. |
| 439 | 2002567 | Cold Fusion cache URL | 0 | agg | -1 | 2 | | Suspicous URL | Attacker attempts to access a Cold Fusion cache map file containing a list of cached URLs. | Restrict access to file. | Intruder gains access to sensitive information. |
| 440 | 2002568 | IIS malformed HTW request | 0 | IP | -1 | 3 | | Suspicious URL | Attacker attempts to access unauthorized data on a Web server. | Update Web server. | Intruder gains sensitive information. |
| 441 | 2002569 | CGI finger.cgi | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access finger.cgi with a suspicious argument. This may allow inappropriate access. | Update server application. | Intruder potentially gains access to the system. |
| 442 | 2002570 | WebSpeed admin URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access the administration functions of the WebSpeed server application. | Update server application. | Intruder gains access to sensitive information. |
| 443 | 2002571 | UBB suspicious posting | 0 | agg | -1 | 2 | | Suspicous data in POST field | Attacker attempts to execute arbitrary commands on the Ultimate Bulletin Board server. | Update server application. | Intruder potentially gains access to the system. |
| 444 | 2002572 | SubSeven ICQ pager URL | 0 | agg | -1 | 4 | | Trojan horse infection | Attempt by SubSeven trojan to send ICQ page to intruder. | Use Antivirus software to remove SubSeven trojan horse application. | Intruder potentially gains access to the system. |
| 445 | 2002573 | Oracle batch file URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute arbitrary commands on the Oracle Web Listener server. | Update server configuration. | Intruder potentially gains access to the system. |
| 446 | 2002574 | sojourn.cgi argument contains %00 | 0 | agg | -1 | 2 | | Suspicious URL argument | Attacker attempts to access unauthorized data on the Web server. | Update sojourn.cgi program. | Intruder gains access to sensitive information. |
| 447 | 2002575 | Index Server null.htw exploit | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access unauthorized data on the Web server. | Update Web server. | Intruder gains sensitive information. |
| 448 | 2002576 | FrontPage extension backdoor URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to access a Web page using a backdoor in FrontPage 98 server extensions. | Update Web server. | Intruder gains sensitive information. |
| 449 | 2002577 | FrontPage htimage.exe URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to overflow the buffer of a CGI program with known weaknesses. | Update Web server. | Intruder potentially gains access to the system. |
| 450 | 2002578 | InfoSearch CGI exploit | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to execute a command on the server. | Update server software. | Intruder potentially gains access to the system. |
| 451 | 2002579 | Cart32 Clientlist URL | 0 | agg | 1 | 2 | | Suspicious URL | Attacker attempts to get a list of vital shopping cart client information. | Update server software. | Intruder gains access to sensitive information. |
| 452 | 2002580 | Cart32 ChangeAdminPassword URL | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to change the administrator password. | Update server software. | Intruder gains access to sensitive information. |
| 453 | 2002581 | Listserv CGI exploit | 0 | agg | -1 | 2 | | Suspicious URL | Attacker attempts to overflow the buffer of a CGI program with known weaknesses. | Update server software. | Intruder gains unauthorized access to the server. |
| 454 | 2002701 | SMB passwd file | 0 | agg | -1 | 2 | | Suspicious file | Attacker attempts to access the passwd file. The passwd file contains encrypted Unix passwords. | Close network path to file. | An intruder may be gathering information which could be useful to setup a later attack. |
| 455 | 2002702 | SMB sam file | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access the sam file. The sam file contains privileged Windows information. | Close network path to file. | An intruder may be gathering information which could be useful to setup a later attack. |
| 456 | 2002703 | SMB winreg file | 0 | agg | -1 | 1 | | Suspicious file | Attacker attempts to access the Windows registry. | Close network path to file. | An intruder may be gathering information which could be useful to setup a later attack. |
| 457 | 2002704 | SMB pwl file type | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access a Windows pwl file. The pwl file contains encrypted Windows passwords. | Close network path to file. | An intruder may be gathering information which could be useful to setup a later attack. |
| 458 | 2002705 | SMB win.ini file | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access system configuration information. | Examine file for corruption. | An intruder may be inserting a trojan horse application. |
| 459 | 2002706 | Startup file access | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access system configuration information. | Examine file for corruption. | An intruder may be inserting a trojan horse application. |
| 460 | 2002707 | SMB autoexec.bat file | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access system configuration information. | Examine file for corruption. | An intruder may be inserting a trojan horse application. |
| 461 | 2002801 | MS rpc dump | 0 | IP | -1 | 3 | | Scan | Attacker attempts to see what MS RPC-based services are available. | Close network path to service. | An intruder may be gathering information which could be useful to setup a later attack. |
| 462 | 2002802 | MS share dump | 0 | 0 | -1 | 2 | | Scan | Attacker attempts to see what NT shares are available. | Close network path to service. | An intruder may be gathering information which could be useful to setup a later attack. |
| 463 | 2002803 | MS domain dump | 0 | 0 | -1 | 2 | | Scan | Attacker attempts to see what NT domains/user names are available. | Close network path to service. | An intruder may be gathering information which could be useful to setup a later attack. |
| 464 | 2002804 | MS name lookup | 0 | 0 | -1 | 2 | | Scan | Attacker attempts to lookup an NT user name to see if it is valid. | Close network path to service. | An intruder may be gathering information which could be useful to setup a later attack. |
| 465 | 2002805 | MS security ID lookup | 0 | 0 | -1 | 2 | | Scan | Attacker attempts to lookup an NT security ID to test its validity. | Close network path to service. | An intruder may be gathering information which could be useful to setup a later attack. |
| 466 | 2002806 | Malformed LSA request | 0 | IP | -1 | 3 | | Denial of service attempt | A malformed frame was sent to the Security Authority of a Windows server. The server may fail. | Update operating system. | An intruder is attempting to crash the LSA service. |
| 467 | 2002807 | RFPoison attack | 0 | IP | -1 | 3 | | Denial of service attempt | A malformed frame was sent to the Server Services of a Windows system. This may cause the system to fail. | Update operating system. | An intruder is attempting to crash the SERVICE process. |
| 468 | 2002901 | PPTP malformed | 0 | IP | -1 | 3 | | Denial of service attempt | A malformed PPTP connection request was seen. This may crash your server. | Update operating system. | System crashes. |
| 469 | 2002902 | IGMP fragments | 0 | DoS | -1 | 2 | | Denial of service attempt | A malformed frame was seen; some operating systems may fail unpredictably. | Update operating system. | System crashes. |
| 470 | 2002903 | SNTP malformed | 0 | 0 | -1 | 2 | | Denial of service attempt | A corrupted time-service frame was seen. | Maybe something is hiding at this port. | Check running protocols. |
| 471 | 2002904 | SNTP time suspicious | 0 | 0 | -1 | 1 | | Suspicious time | The time announced by an SNTP server differs by more than one week from the system time. | Check your time settings. | The hacker may be trying to affect behavior of time-sensitive programs. |
| 472 | 2003001 | HTTP port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 473 | 2003002 | POP3 port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 474 | 2003003 | SMTP port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 475 | 2003004 | FTP port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 476 | 2003005 | IMAP4 port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 477 | 2003006 | Telnet port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 478 | 2003007 | Finger port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 479 | 2003008 | RLOGIN port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 480 | 2003009 | NetBIOS port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 481 | 2003010 | NNTP port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 482 | 2003011 | DNS port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 483 | 2003012 | PCAnywhere port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 484 | 2003013 | SQL port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 485 | 2003014 | MSRPC port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 486 | 2003015 | XWINDOWS port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 487 | 2003016 | RPC port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 488 | 2003017 | SOCKS port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 489 | 2003018 | PPTP port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 490 | 2003019 | IRC port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 491 | 2003020 | IDENT port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 492 | 2003021 | Linuxconf port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 493 | 2003101 | TCP trojan horse probe | B | 0 | -1 | 2 | | Scan | Attacker attempts to see if a trojan horse program is installed. | Filter IP address from attacking source. | Locates open ports on a system. |
| 494 | 2003102 | TCP port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if a particular port is open for remote access. | Filter IP address from attacking source. | Locates open ports on a system. |
| 495 | 2003103 | NetBus port probe | B | 0 | -1 | 2 | | Scan | Attacker attempts to see if the NetBus trojan horse program is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 496 | 2003104 | Proxy port probe | B | 0 | -1 | 2 | | Scan | Attacker attempts to see if a particular port is open for remote access. | Filter IP address from attacking source. | Locates open ports on a system. |
| 497 | 2003105 | SubSeven port probe | B | 0 | -1 | 2 | | Scan | Attacker attempts to see if the SubSeven trojan horse program is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 498 | 2003201 | SECURITY/SAM reg hack | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to access a registry key containing passwords or other sensitive information. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 499 | 2003202 | RUN reg hack | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to write to a registry key which causes a program to run at reboot. | Ensure registry key has correct access controls. | A trojan horse application may have been installed. |
| 500 | 2003203 | RDS reg hack | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to write to a registry key which protects remote database access. | Ensure registry key has correct access controls. | Allows website to be further hacked. |
| 501 | 2003204 | Index Server reg hack | 0 | 0 | -1 | 2 | | Intrusion | Attacker attempts to scan the registry looking for hidden information. | Ensure registry key has correct access controls. | Allows intruder to scan a website for hidden information. |
| 502 | 2003205 | RASMAN privilege escalation reg hack | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to write to the registry in order to run a potentially hostile program. | Ensure registry key has correct access controls. | Intruder may be able to install a trojan horse application. |
| 503 | 2003206 | LSA secrets reg hack | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to access Local Security Authority information from the registry. | Ensure registry key has correct access controls. | Intruder gains access to privileged information. |
| 504 | 2003207 | AeDebug reg hack | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to write to the registry in order to run a potentially hostile program. | Ensure registry key has correct access controls. | Allows a website to be further hacked. |
| 505 | 2003208 | Imail admin | 0 | 0 | -1 | 3 | | Intrusion | Attacker attempts to elevate Imail user privileges to admin. | Ensure registry key has correct access controls. | Intruder gains admin rights. |
| 506 | 2003209 | SQL Exec Passwd | 0 | 0 | -1 | 2 | | Intrusion | Attacker attempts to access the MS SQL Executive password. | Ensure registry key has correct access controls. | Intruder gains SQL administrator password. |
| 507 | 2003301 | AOL Instant Messenger overflow | 0 | 0 | -1 | 3 | | Intrusion | A malformed frame was sent to an Instant Messenger client. This may allow an intruder to access sensitive information. | Filter IP address from attacking source. | An intruder is attempting to break-in. |
| 508 | 2003401 | SNMP port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 509 | 2003402 | RPC port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 510 | 2003403 | NFS port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 511 | 2003404 | TFTP port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 512 | 2003405 | MSRPC port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 513 | 2003406 | UDP ECHO port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 514 | 2003407 | CHARGEN port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 515 | 2003408 | QOTD port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 516 | 2003409 | DNS port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 517 | 2003410 | MSDNS port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 518 | 2003411 | NFS-LOCKD port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if this well-known service is available. | Filter IP address from attacking source. | Locates open ports on a system. |
| 519 | 2003501 | UDP trojan horse probe | B | 0 | -1 | 2 | | Scan | Attacker attempts to see if a trojan horse program is installed. | Filter IP address from attacking source. | Locates open ports on a system. |
| 520 | 2003502 | UDP port probe | B | 0 | -1 | 1 | | Scan | Attacker attempts to see if a particular port is open for remote access. | Filter IP address from attacking source. | Locates open ports on a system. |
| 521 | 2003601 | TFTP passwd file | 0 | agg | -1 | 2 | | Suspicious file | Attacker attempts to access the passwd file. The passwd file contains encrypted Unix passwords. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 522 | 2003602 | TFTP sam._ file | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access the sam file. The sam file contains privileged Windows information. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 523 | 2003604 | TFTP pwl file type | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access a Windows pwl file. The Windows pwl file contains encrypted Windows passwords. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 524 | 2003605 | TFTP win.ini file | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access system configuration information. | Examine file for corruption. | An intruder may be inserting a trojan horse application. |
| 525 | 2003701 | FTP passwd file | 0 | agg | -1 | 2 | | Suspicious file | Attacker attempts to access the passwd file. The passwd file contains encrypted Unix passwords. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 526 | 2003702 | FTP sam._ file | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access the sam file. The sam file contains privileged Windows information. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 527 | 2003704 | FTP pwl file type | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access a Windows pwl file. The Windows pwl file contains encrypted Windows passwords. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 528 | 2003705 | FTP win.ini file | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access system configuration information. | Examine file for corruption. | An intruder may be inserting a trojan horse application. |
| 529 | 2003801 | HTTP GET passwd file | 0 | agg | -1 | 2 | | Suspicious file | Attacker attempts to access the passwd file. The passwd file contains encrypted Unix passwords. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 530 | 2003802 | HTTP GET sam._ file | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access the sam file. The sam file contains privileged Windows information. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 531 | 2003804 | HTTP GET pwl file type | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access a Windows pwl file. The Windows pwl file contains encrypted Windows passwords. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 532 | 2003806 | HTTP GET AltaVista password | 0 | agg | -1 | 2 | | Suspicious file | Attacker attempts to access the password for remote administration of an AltaVista Search engine. | Filter IP address from attacking source. | An intruder may be gathering information which could be useful to setup a later attack. |
| 533 | 2003901 | HTTP POST passwd file | 0 | agg | -1 | 2 | | Suspicious file | Attacker attempts to access the passwd file. The passwd file contains encrypted Unix passwords. | Examine file for corruption. | An intruder may be gathering information which could be useful to setup a later attack. |
| 534 | 2003902 | HTTP POST sam._ file | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access the sam file. The sam file contains privileged Windows information. | Examine file for corruption. | An intruder may be gathering information which could be useful to setup a later attack. |
| 535 | 2003904 | HTTP POST pwl file type | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access a Windows pwl file. The Windows pwl file contains encrypted Windows passwords. | Examine file for corruption. | An intruder may be gathering information which could be useful to setup a later attack. |
| 536 | 2003905 | HTTP POST win.ini file | 0 | agg | -1 | 3 | | Suspicious file | Attacker attempts to access system configuration information. | Examine file for corruption. | An intruder may be inserting a trojan horse application. |
| 537 | 2004001 | SOCKS connect | 0 | 0 | -1 | 0 | | Socks used | A successful connection was made from an Internet address using the SOCKS proxy protocol. | Check the intruder's address for legitimacy. | Allows intruders to use a system to access the Internet anonymously. |
| 538 | 2004002 | SOCKS over SOCKS | 0 | agg | -1 | 3 | | Suspicious proxying | A SOCKS proxy server is being used to forward SOCKS traffic to another system. | Check the configuration of the SOCKS proxy server. | An intruder may be using your system to attack another system. |
| 539 | 2009100 | DNS crack successful | 0 | IP | -1 | 4 | | Intrusion successful | A hacker has successfully cracked into the DNS service. Your system has been compromised. | Examine all files for reasonableness. | An intruder gains access to your system. |
| 540 | 4000001 | ICEcap Agent not responding | 0 | 0 | 0 | 4 | | Informational | ICEcap has determined that an agent is not responding. | n/a | n/a |
| 541 | 4000002 | ICEcap Agent clock difference | 0 | 0 | 0 | 4 | | Informational | ICEcap has determined that the relative clock difference of an agent exceeds the configured threshold. | n/a | n/a
|
