Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:332 |
| Message | FINGER 0 query |
| Summary | An intelligence gathering attack against the finger daemon |
| Impact | The attacker may obtain information about user accounts on the target system. |
| Detailed Information | This event is generated when an attempt is made to use a finger command against a host with a username of "0". A finger query against a vulnerable finger daemon may allow the attacker to obtain a list of accounts on the target system with some details for each account where present (such as time and source of the last login). Obtaining a list of accounts might precipitate further attacks such as password guessing, email attacks and other abuse. |
| Affected Systems | |
| Attack Scenarios | An attacker learns that the "sys" account exists on the system. He then proceeds to guess the password and is then able to gain remote access to the system. |
| Ease of Attack | Simple, no exploit software required |
| Corrective Action | Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers. |
| Additional References | Arachnids: http://www.whitehats.com/info/IDS378 http://www.whitehats.com/info/IDS131 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0197 Nessus: http://cgi.nessus.org/plugins/dump.php3?id=10069%20(Finger%20zero%20at%20host |
| Rule References | arachnids: 131 arachnids: 378 cve: 1999-0197 nessus: 10069 |
--
DID:231965
--
http://www.aanval.com/