| GEN:SID | 1:605 |
| Message | RSERVICES rlogin login failure |
| Summary | This event is generated when a remote login attempt using rlogin fails.
|
| Impact | Someone has tried to login using rlogin and failed
|
| Detailed Information | This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution.
Multiple events may indicate that an attacker is attempting a brute force password guessing attack.
|
| Affected Systems | |
| Attack Scenarios | An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times.
|
| Ease of Attack | Simple, no exploit software required
|
| Corrective Action | Investigate logs on the target host for further details and more signs of suspicious activity
Use ssh for remote access instead of rlogin.
|
| Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651
Arachnids: http://www.whitehats.com/info/IDS393
|
| Rule References | arachnids: 393
|