Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:608 |
| Message | RSERVICES rsh echo + + |
| Summary | This event is generated when an attempt to modify access control permissions for remote shell logins is attempted. |
| Impact | An attacker may have modified remote login permissions such that any host is allowed to initiate a remote session on the target host. |
| Detailed Information | The rule generates an event when system reconfiguration is attempted via "rsh". The command "echo + +" is used to relax access control permissions for r-services to allow access from any site without the need for password authentication. This activity is indicative of attempts to abuse hosts using a default configuration. Some UNIX systems use the "rsh" service to allow a connection to the machine for establishing an interactive session. |
| Affected Systems | |
| Attack Scenarios | An attacker finds a machine with "rsh" enabled and reconfigures it to allow access from any location |
| Ease of Attack | Simple, no exploit software required |
| Corrective Action | Investigate logs on the target host for further details and more signs of suspicious activity Use ssh for remote access instead of rlogin. |
| Additional References | http://www.whitehats.com/info/IDS388 |
| Rule References | arachnids: 388 |
--
DID:382869
--
http://www.aanval.com/