FTP_Site Command

 

Code: p63

Severity: Infomation

 

Description: The FTP site command allows a user to execute certain commands on a destination host in addition to the normal FTP facility of transferring files. In ordinary usage of FTP, this is not a commonly used command.

Impact: If this occurs without a corresponding RealSecure SITE Exec .. Or SITE Exec Tar event, it is not obviously an attack. However, this is an unusual event, and you should examine the RealSecure FTP decode logs carefully to reconstruct this user's actions.

Corrective: While there may be a legitimate reason to execute site commands under certain circumstances, this facility has also been used to gain access. Consequently, an administrator may wish to view and log the site commands being executed to check for possible abuse.