GEN:SID | 1:1271 |
Message | RPC portmap rusers request TCP |
Summary | Someone probed for the rusers RPC service, possibly to gather information before an attack.
|
Impact | An attacker may have gotten a listing of the users logged into the target system.
|
Detailed Information | The rusers RPC service is used to remotely list all logged in users on a machine. Discovering this information may be useful to an attacker. Because of the nature of RPC, the actual rusers access occurs in a seperate network session on an arbitrary port.
|
Affected Systems | |
Attack Scenarios | An attacker runs a vulnerability assessment tool, or the standard Unix rusers command. The attacker may use information gleaned from this to better target his attacks.
|
Ease of Attack | Tools to probe the rusers service come standard with most Unix variants.
|
Corrective Action | Try to determine whether the target system was running rusers or not. Because the rusers service itself represents a potentially dangerous exposure, consider disabling the rusers service if it has not already been disabled. Try to determine whether this activty was part of a larger reconnaissance effort, predecessor to an attack, or legitimate use.
|
Additional References | |
Rule References | arachnids: 133
cve: 1999-0626
|