[Snort-sigs] SID 715

Steven Alexander alexander.s at ...1565...
Mon Jun 9 14:27:05 EDT 2003

TELNET Attempted SU from wrong group


This signature indicates that someone logged in to a user account over
telnet has attempted to 'su' to the root account.



Detailed Information:

This signature indicates that somebody has logged in to a machine over a
telnet connection and then attempted to change to the root account.
This may indicate that a system has been compromised if the client is
outside your network.  The signature checks for an error message that is
given if the user that executes 'su' is not a member of the 'wheel'
group.  It may also indicate that a legitimate user is trying to
compromise administrator access. Telnet is a terminal emulation program.
The telnet client connects to a telnet server which usually runs on TCP
port 23.

Affected Systems:

Attack Scenarios:

An attacker may have compromised the machine.  This program is also used

Ease of Attack:
Very Simple

False Positives:

none known.

False Negatives:

None known.
Corrective Action:

Use a firewall to restrict telnet access to certain hosts.  It is
preferable to use ssh instead of telnet.

Documentation - Steven Alexander<alexander.s at ...1565...>
Additional References:

More information about the Snort-sigs mailing list