GEN:SID 1:361
Message FTP SITE EXEC attempt
Summary This event is generated when a remote user executes the SITE EXEC command in a session with an internal FTP server. This may indicate an attempt to exploit a vulnerability in the SITE EXEC command in wu-ftpd version 2.4.1.
Impact Arbitrary code execution, leading to remote root compromise. The attacker must have a valid, non-anonymous FTP account on the server to attempt this exploit.
Detailed Information A misconfiguration in the pathnames.h configuration file in wu-ftpd 2.4.1 allows users to execute commands from /bin instead of ~username/bin. An attacker with a valid FTP account on the server can exploit this vulnerability to execute arbitrary shell code using the SITE EXEC command.
Affected Systems Servers running Washington University wu-ftpd version 2.4.1 or earlier.
Attack Scenarios An attacker logs into the system using a valid FTP account, and then executes arbitrary shell code to obtain root access to the server.
Ease of Attack Simple.
Corrective Action Upgrade to a later version of the wu-ftp daemon.
Additional References CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0080

CERT
http://www.cert.org/advisories/CA-1995-16.html
Rule References arachnids: 317
bugtraq: 2241
cve: 1999-0080
cve: 1999-0955