GEN:SID 1:584
Message RPC portmap rusers request UDP
Summary Someone probed for the rusers RPC service, possibly to gather information
before an attack.
Impact An attacker may have gotten a listing of the users logged into the target
system.
Detailed Information The rusers RPC service is used to remotely list all logged in users on a
machine.  Discovering this information may be useful to an attacker.
Because of the nature of RPC, the actual rusers access occurs in a seperate
network session on an arbitrary port.
Affected Systems  
Attack Scenarios An attacker runs a vulnerability assessment tool, or the standard Unix
rusers command.  The attacker may use information gleaned from this to
better target his attacks.
Ease of Attack Tools to probe the rusers service come standard with most Unix variants.
Corrective Action Try to determine whether the target system was running rusers or not.  Because
the rusers service itself represents a potentially dangerous exposure,
consider disabling the rusers service if it has not already been disabled.
Try to determine whether this activty was part of a larger reconnaissance
effort, predecessor to an attack, or legitimate use.
Additional References  
Rule References arachnids: 133
cve: 1999-0626