Signature Detail

MS-RPC: Content Indexing Service over RPC Activity

This signature detects access to the Microsoft Windows Indexing Service through Microsoft Remote Procedure Call (MS-RPC). Using MS-RPC, attackers can remotely access the indexing service without authentication and search for files on a target's hard drive. Note: The indexing service is typically disabled.

Extended Description

A vulnerability exists in Microsoft Indexing Services that may allow unauthenticated searches of the filesystem, leading to the disclosure of sensitive information. In addition, an attacker may be able to execute arbitrary code. RPC traffic referencing the Indexing Service originating from non-trusted hosts may indicate that a malicious attempt to enumerate the filesystem is underway.

References

• URL: http://windowssdk.msdn.microsoft.com/en-us/library/ms719418.aspx
• URL: http://en.wikipedia.org/wiki/MSRPC