I have Snort running and it has thown alerts on web traffic from my moodle server.
Here is a copy of the alert:
[**] [1:2002122:5] ET EXPLOIT Potential MS05-036 exploit - GIF with embedded ICC - Excessive Profile Size [**]
[Classification: Misc Attack] [Priority: 2]
01/26-13:34:56.685711 xxx.xxx.xxx.xxx:62327 -> xxx.xxx.xxx.xxx:59978
TCP TTL:64 TOS:0x8 ID:11866 IpLen:20 DgmLen:1500
**A*** Seq: 0xD435DA03 Ack: 0xC043B17F Win: 0xFFFF TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1219][Xref => http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx]
Upon further investigation two gif files in the moodle directory come up with the code ICCRGBG1012
that this snort rule is alerting on. I am not sure if a false alert, or if the Gif files have something wrong with them.
grep -R ICCRGBG1012 *
Binary file pix/f/dmg.gif matches
Binary file theme/chameleon/pix/f/dmg.gif matches