Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:584 |
Message | RPC portmap rusers request UDP |
Summary | Someone probed for the rusers RPC service, possibly to gather information before an attack. |
Impact | An attacker may have gotten a listing of the users logged into the target system. |
Detailed Information | The rusers RPC service is used to remotely list all logged in users on a machine. Discovering this information may be useful to an attacker. Because of the nature of RPC, the actual rusers access occurs in a seperate network session on an arbitrary port. |
Affected Systems | |
Attack Scenarios | An attacker runs a vulnerability assessment tool, or the standard Unix rusers command. The attacker may use information gleaned from this to better target his attacks. |
Ease of Attack | Tools to probe the rusers service come standard with most Unix variants. |
Corrective Action | Try to determine whether the target system was running rusers or not. Because the rusers service itself represents a potentially dangerous exposure, consider disabling the rusers service if it has not already been disabled. Try to determine whether this activty was part of a larger reconnaissance effort, predecessor to an attack, or legitimate use. |
Additional References | |
Rule References | arachnids: 133 cve: 1999-0626 |
--
DID:314777
--
http://www.aanval.com/