Rule: -- Sid: 1900 -- Summary: This event is generated when a known response to a sucessful attack is detected. -- Impact: Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. -- Detailed Information: This event is generated when a known response to a sucessful attack is detected. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. Events generated by rules in attack-responses.rules may indicate that an attack against a host has been sucessful. -- Affected Systems: Any vulnerable host. -- Attack Scenarios: An attacker can access an authentication mechanism and supply his/her own credentials to gain access. An attacker might also exploit a weakness in a particular application or piece of software that will present the opportunity to gain access to the host. -- Ease of Attack: Simple. Many exploits exist for various systems and software. -- False Positives: None known. -- False Negatives: None known. -- Corrective Action: Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. Care should be taken to investigate the source of the event. Check for signs of system compromise in log files. Check for listening services on high ports. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --