GEN:SID | 1:611 |
Message | RSERVICES rlogin login failure |
Summary | This event is generated when a remote login attempt using rlogin fails.
|
Impact | Someone has tried to login using rlogin and failed
|
Detailed Information | This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution.
Multiple events may indicate that an attacker is attempting a brute force password guessing attack.
|
Affected Systems | |
Attack Scenarios | An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times.
|
Ease of Attack | Simple, no exploit software required
|
Corrective Action | Investigate logs on the target host for further details and more signs of suspicious activity
Use ssh for remote access instead of rlogin.
|
Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651
Arachnids: http://www.whitehats.com/info/IDS392
|
Rule References | arachnids: 392
|