FTP_Site Execute

 

Code: p36

Severity: Warning

 

Description: The FTP site command allows a user to execute certain commands on a destination host in addition to the normal FTP facility of transferring files. In ordinary usage of FTP, this is not a commonly used command.

Impact: If this occurs without a corresponding Sax2IDS SITE Exec .. Or SITE Exec Tar event, it is not obviously an attack. However, this is an unusual event, and you should examine the Sax2IDS FTP decode logs carefully to reconstruct this user's actions.

Corrective: While there may be a legitimate reason to execute site commands under certain circumstances, this facility has also been used to gain access. Consequently, an administrator may wish to view and log the site commands being executed to check for possible abuse.