Rule:

--
Sid:
561

--
Summary:
This event is generated when a known response to a sucessful attack is
detected.

--
Impact:
Information gathering and system integrity compromise. Possible unauthorized
administrative access to the server or application. Possible execution
of arbitrary code of the attackers choosing in some cases.

--
Detailed Information:
This event is generated when a known response to a sucessful attack is
detected. Some applications do not perform stringent checks when validating
the credentials of a client host connecting to the services offered on a
host server. This can lead to unauthorized access and possibly escalated
privileges to that of the administrator. Data stored on the machine can be
compromised and trust relationships between the victim server and other
hosts can be exploited by the attacker.

Events generated by rules in attack-responses.rules may indicate that an
attack against a host has been sucessful.

--
Affected Systems:
	Any vulnerable host.

--
Attack Scenarios:
An attacker can access an authentication mechanism and supply his/her
own credentials to gain access. An attacker might also exploit a
weakness in a particular application or piece of software that will
present the opportunity to gain access to the host.

--
Ease of Attack:
Simple. Many exploits exist for various systems and software.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has
had all vendor supplied patches applied.

Care should be taken to investigate the source of the event. Check for
signs of system compromise in log files. Check for listening services on
high ports.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:
OpenNap Specification
http://opennap.sourceforge.net/napster.txt

--