GEN:SID 1:1928
Message FTP shadow retrieval attempt
Summary This event is generated when activity relating to spurious ftp traffic
is detected on the network.
Impact Varies from information gathering to a serious compromise of an ftp
server.
Detailed Information FTP is used to transfer files between hosts. This event is indicative of
spurious activity in FTP traffic between hosts.

The event may be the result of a transfer of a known protected file or
it could be an attempt to compromise the FTP server by overflowing a
buffer in the FTP daemon or service.

In this case, the rule will generate an event due to the attempted
transfer of a shadow file. This file is generally used on muli-user
systems to provide greater security for user passwords. This file should
only be readable by the super user.
Affected Systems  
Attack Scenarios A user may transfer sensitive company information to an external party
using FTP. Retrieval of the shadow file may allow a user to crack the
encryption scheme used and gain unauthorized access to the host.

An attacker might utilize a vulnerability in an FTP daemon to gain
access to a host, then upload a Trojan Horse program to gain control of
that host.
Ease of Attack Simple.
Corrective Action Disallow access to FTP resources from hosts external to the protected
network.

Use secure shell (ssh) to transfer files as a replacement for FTP.
Additional References