FTP_Site Execute


Code: p36

Severity: Warning


Description: The FTP site command allows a user to execute certain commands on a destination host in addition to the normal FTP facility of transferring files. In ordinary usage of FTP, this is not a commonly used command.

Impact: If this occurs without a corresponding Sax2IDS SITE Exec .. Or SITE Exec Tar event, it is not obviously an attack. However, this is an unusual event, and you should examine the Sax2IDS FTP decode logs carefully to reconstruct this user's actions.

Corrective: While there may be a legitimate reason to execute site commands under certain circumstances, this facility has also been used to gain access. Consequently, an administrator may wish to view and log the site commands being executed to check for possible abuse.