GEN:SID | 1:608 |
Message | RSERVICES rsh echo + + |
Summary | This event is generated when an attempt to modify access control permissions for remote shell logins is attempted.
|
Impact | An attacker may have modified remote login permissions such that any host is allowed to initiate a remote session on the target host.
|
Detailed Information | The rule generates an event when system reconfiguration is attempted via "rsh".
The command "echo + +" is used to relax access control permissions for r-services to allow access from any site without the need for password authentication.
This activity is indicative of attempts to abuse hosts using a default configuration.
Some UNIX systems use the "rsh" service to allow a connection to the machine for establishing an interactive session.
|
Affected Systems | |
Attack Scenarios | An attacker finds a machine with "rsh" enabled and reconfigures it to allow access from any location
|
Ease of Attack | Simple, no exploit software required
|
Corrective Action | Investigate logs on the target host for further details and more signs of suspicious activity
Use ssh for remote access instead of rlogin.
|
Additional References | http://www.whitehats.com/info/IDS388
|
Rule References | arachnids: 388
|