[Snort-sigs] SID 715
alexander.s at ...1565...
Mon Jun 9 14:27:05 EDT 2003
TELNET Attempted SU from wrong group
This signature indicates that someone logged in to a user account over
telnet has attempted to 'su' to the root account.
This signature indicates that somebody has logged in to a machine over a
telnet connection and then attempted to change to the root account.
This may indicate that a system has been compromised if the client is
outside your network. The signature checks for an error message that is
given if the user that executes 'su' is not a member of the 'wheel'
group. It may also indicate that a legitimate user is trying to
compromise administrator access. Telnet is a terminal emulation program.
The telnet client connects to a telnet server which usually runs on TCP
An attacker may have compromised the machine. This program is also used
Ease of Attack:
Use a firewall to restrict telnet access to certain hosts. It is
preferable to use ssh instead of telnet.
Documentation - Steven Alexander<alexander.s at ...1565...>
More information about the Snort-sigs