Intrusion Prevention

Unixshellfromport.ingreslock.port.Exploit

Description

Indicates an attempt to create a remote shell on the ingreslock port (port 1524). Remote users, attacking linux or unix systems with an exploit, frequently attempt to create a command shell (for example /bin/sh) listening on port 1524. The ingreslock service (port 1524) is added to a file called, for example, /tmp/x, and then inetd is executed with /tmp/x as the configuration file. The remote attacker can then connect to this shell and gain complete system access and control.

Affected Products

All unix and linux systems.

Impact

Remote shell access with root privileges.

Recommended Actions

Kill any extra versions of inetd. Remove the configuration file and any accounts that were created.
Restrict access to port 1524.