GEN:SID 1:546
Message POLICY FTP 'CWD ' possible warez site
Summary This event is generated when an attempt is made to navigate in an FTP session to a hidden directory name that begins with a space.
Impact Unauthorized file storage.  An attacker may attempt to navigate on an FTP server to a directory name that begins with a space to list or store unauthorized files such as unlicensed software.
Detailed Information An attacker may attempt to hide unauthorized files in a hidden directory name that begins with a space.   This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software.
Affected Systems FTP servers
Attack Scenarios An attacker may navigate to the hidden directory name that begins with a space to list or store unauthorized files.
Ease of Attack Simple
Corrective Action Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them.

Regularly monitor directories for sudden or drastic increased use of space.
Additional References