Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:603 |
Message | RSERVICES rlogin echo++ |
Summary | This event is generated when an attempt to modify access control permissions for remote shell logins is attempted. |
Impact | An attacker may have modified remote login permissions such that any host is allowed to initiate a remote session on the target host. |
Detailed Information | The rule generates an event when system reconfiguration is attempted via "rsh". The command "echo + +" is used to relax access control permissions for r-services to allow access from any site without the need for password authentication. This activity is indicative of attempts to abuse hosts using a default configuration. Some UNIX systems use the "rsh" service to allow a connection to the machine for establishing an interactive session. |
Affected Systems | |
Attack Scenarios | An attacker finds a machine with "rsh" enabled and reconfigures it to allow access from any location |
Ease of Attack | Simple, no exploit software required |
Corrective Action | Investigate logs on the target host for further details and more signs of suspicious activity Use ssh for remote access instead of rlogin. |
Additional References | Arachnids: http://www.whitehats.com/info/IDS385 |
Rule References | arachnids: 385 |
--
DID:460090
--
http://www.aanval.com/