[Snort-sigs] SID 715

Steven Alexander alexander.s at ...1565...
Mon Jun 9 14:27:05 EDT 2003


Rule:  
TELNET Attempted SU from wrong group
--
Sid:

715

--
Summary:
This signature indicates that someone logged in to a user account over
telnet has attempted to 'su' to the root account.

--
Impact:

Moderate.

--
Detailed Information:

This signature indicates that somebody has logged in to a machine over a
telnet connection and then attempted to change to the root account.
This may indicate that a system has been compromised if the client is
outside your network.  The signature checks for an error message that is
given if the user that executes 'su' is not a member of the 'wheel'
group.  It may also indicate that a legitimate user is trying to
compromise administrator access. Telnet is a terminal emulation program.
The telnet client connects to a telnet server which usually runs on TCP
port 23.

--
Affected Systems:

All
--
Attack Scenarios:

An attacker may have compromised the machine.  This program is also used
legitimately.  

--
Ease of Attack:
Very Simple

--
False Positives:

none known.

--
False Negatives:

None known.
--
Corrective Action:

Use a firewall to restrict telnet access to certain hosts.  It is
preferable to use ssh instead of telnet.

--
Contributors:
Documentation - Steven Alexander<alexander.s at ...1565...>
-- 
Additional References:









More information about the Snort-sigs mailing list