1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
Rule:
--
Sid:
2124
--
Summary:
This event is generated when an attempt is made to connect to a host running a Remote PC Access Server.
--
Impact:
Serious. System compromise leading to a compromise of all data on the target host.
--
Detailed Information:
This event indicates that an attempt has been made to connect to a host using the Remote PC Access Server. This event may also be generated by an attacker using Nessus to scan for Remote PC Access.
Remote PC is used to remotely administer hosts via the Internet. It offers complete control of the client machine via a TCP connection.
Login information is transmitted in clear text across a TCP connection, the attacker could recover this information by capturing a legitimate session. It may also be possible for an attacker to gain access by utilizing a brute force attack to discover the password to connect.
--
Affected Systems:
Any host using the Remote PC Access Server.
--
Attack Scenarios:
An attacker can connect to the Remote PC Access Server using the client program and gain complete control of the host if the password and username are known.
--
Ease of Attack:
Simple.
--
False Positives:
A legitimate login session may cause this rule to generate an event.
--
False Negatives:
None Known.
--
Corrective Action:
Disable the Remote PC Access Server
Disallow connection to the server from clients external to the protected network.
--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
--
|
