GEN:SID | 1:1262 |
Message | RPC portmap admind request TCP |
Summary | This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) admind is listening.
|
Impact | Information disclosure. This request is used to discover which port admind is using. Attackers can also learn what versions of the admind protocol are accepted by admind.
|
Detailed Information | The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as admind run. The admind RPC service is used by some UNIX hosts to remotely perform distributed system administration tasks such as adding new users. If weak authentication is used, it may be possible for a malicious user to perform remote administration.
|
Affected Systems | Any host running admind with weak authentication.
|
Attack Scenarios | An attacker can query the portmapper to discover the port where admind runs. This may be a precursor to accessing admind.
|
Ease of Attack | Simple.
|
Corrective Action | Limit remote access to RPC services.
Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
Disable unneeded RPC services.
|
Additional References | Arachnids http://www.whitehats.com/info/IDS18
|
Rule References | arachnids: 18
|