Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:517 |
| Message | MISC xdmcp query |
| Summary | This event is generated when an attempt is made to query the XDMCP service. |
| Impact | Serious. Information disclosure. Unauthorized access to the system. |
| Detailed Information | An XDMCP query can provide a wealth of information about a host such as a login screen, a list of users on the host, and to bypass access control restrictions used by tcpwrapper and to bypass the restriction of login by user "root" on the box. |
| Affected Systems | Any UNIX based server running XDMCP. |
| Attack Scenarios | An attacker can use this to find out information about the machine and then either launch a specific attack or connect to the X windows server using XDMCP. |
| Ease of Attack | Simple. |
| Corrective Action | Disable XDMCP if not needed. |
| Additional References | Arachnids: http://www.whitehats.com/info/IDS476 |
| Rule References | arachnids: 476 |
--
DID:117256
--
http://www.aanval.com/