[Snort-sigs] Sid 719

Pedro Rosa Pedro.Rosa at ...402...
Sat Mar 2 07:17:11 EST 2002


-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:TELNET root login  

--
Sid:719

--
Summary:Attempt to use telnet service for root login 

--
Impact:Very Serious

--
Detailed Information:Most telnet daemons are installed with root login disabled. This is due to the fact that passwords are transmitted in clear text and the use of root may be quite dangerous, depending on the level one controls the network between the host and the client. Due to this, telnet use is generally deprecated and many modern systems have it disabled from start. However, the relative ease of implementation and use, leads to having many systems and administrators using it for remote control. Frequently, such uses lead to having the possibility to login as root.   

--
Attack Scenarios:An attacker may sniff a connection to grab users and passwords. Once he grabs root session, he may login and do whatever he wants in the host system. In other cases, a weak root password (ex. "1234") may ease an attack if root is allowed to login. Note that such cases may be in the rising as more and more users are using *NIX systems and still have a very weak conception of security.

--
Ease of Attack:Easy to average

--
False Positives: Dumb attempts by script kiddies. Use of telnet connections on certain legacy systems. 

--
False Negatives: An attack may be preformed and practically ignored under the frequent use of such connections. 

--
Corrective Action:Disable telnet and use ssh if you can. Disable remote root login completely. However, if you are forced to use telnet (certain systems do require it), do everything to restrict its use over controlled and secure connections, and avoid to the maximum the use of root through them.

--
Contributors:

-- 
Additional References:


More information about the Snort-sigs mailing list