Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:715 |
| Message | TELNET Attempted SU from wrong group |
| Summary | This event is generated when a telnet server sends an error message regarding a failed user attempt to issue the 'su' command to get root privileges. |
| Impact | Failed root access. This attack occurs when a user attempts to get root privileges using the su command. |
| Detailed Information | An attacker may attempt to gain root privileges by issuing the su command. This implies that the attacker has successfully connected to the telnet server with an account other than root. A failed attempt will cause an error message to be generated indicating that the user is not a member of an authorized group to obtain root privileges. |
| Affected Systems | All telnet servers. |
| Attack Scenarios | At attacker may attempt to gain root privileges on a telnet server. |
| Ease of Attack | Simple |
| Corrective Action | Use ssh instead of telnet to prevent su passwords from being sniffed. Tightly restric su access to authorized users. Block inbound telnet access if it is not required. |
| Additional References |
--
DID:732474
--
http://www.aanval.com/