GEN:SID | 1:1227 |
Message | X11 outbound client connection detected |
Summary | This event is generated when an attempt is made to communicate to an internal host from a remote X server session.
|
Impact | Remote access. This attack may indicate that an internal host has been compromised and has been configured to offer remote access through an xterm session.
|
Detailed Information | Traffic from source ports 6000 through 6005 inclusive may indicate that an internal host is communicating with an external host using an xterm session. An attacker may compromise an internal host and establish communications between the remote host and the compromised host using an xterm session. This is particularly effective means of establishing communications because the xterm session is established by the internal host. Typically, firewalls do not scrutinize or block outbound traffic, such as establishing an xterm session.
|
Affected Systems | Host offering xterm client software.
|
Attack Scenarios | An attacker may establish communications using an xterm session between a compromised host and remote host.
|
Ease of Attack | Simple.
|
Corrective Action | Block outbound xterm sessions.
|
Additional References | |
Rule References | arachnids: 126
|