Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:611 |
Message | RSERVICES rlogin login failure |
Summary | This event is generated when a remote login attempt using rlogin fails. |
Impact | Someone has tried to login using rlogin and failed |
Detailed Information | This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution. Multiple events may indicate that an attacker is attempting a brute force password guessing attack. |
Affected Systems | |
Attack Scenarios | An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times. |
Ease of Attack | Simple, no exploit software required |
Corrective Action | Investigate logs on the target host for further details and more signs of suspicious activity Use ssh for remote access instead of rlogin. |
Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 Arachnids: http://www.whitehats.com/info/IDS392 |
Rule References | arachnids: 392 |
--
DID:738825
--
http://www.aanval.com/