MediumProventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This event triggers when the number of 'unescape()' or 'eval()' functions within a JavaScript file exceeds the value of pam.script.unescape.eval.limit. Large numbers of these functions within a script is an indication of an obfuscation attempt that might be used for the purpose of taking control of a system. This activity is highly suspicious.
Medium
Proventia Desktop: 2370, Proventia Network IPS: XPU 29.030, RealSecure Network: XPU 29.030, RealSecure Server Sensor: XPU 29.030, Proventia Network MFS: XPU 29.030, Proventia-G 1.1 and earlier: XPU 29.030, Proventia Network IDS: XPU 29.030, IBM Security Server Protection for Windows: 2.0.300.2370, IBM Security Server Protection for Windows: 1.0.914.2370, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Server IPS for Linux technology: 29.030, Virtual Server Protection for Vmware: 1.0
IBM AIX, WindRiver BSDOS, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X
Suspicious Activity
Multiple unescape() or eval() statements have been detected. These statements could be used to obfuscate shell code for the purpose of evading other signatures and/or gaining access to a system.
This is an audit, it does not necessarily indicate an attack in progress. Investigate the traffic, block if necessary.
ISS X-Force
Multiple JavaScript unescape() or eval() functions detected
http://www.iss.net/security_center/static/48804.php