If you see rac 331 with p verified in your firewall logs or endpoint detection and response (EDR) alerts, and you did not initiate a remote session, consider the following possibilities:
| Scenario | Risk Level | Action Required | | :--- | :--- | :--- | | Scheduled IT maintenance | Low | Verify the source IP against your approved admin subnet. | | Unauthorized former employee | Critical | Immediately revoke credentials, block IP, and reset all RAC passwords. | | Brute-force success | High | Check for multiple failed logins before the "verified" entry. Rotate all privileged passwords. | | Misconfigured monitoring scan | Low | Whitelist the scanning tool, but ensure it does not use shared secrets. | rac remote administrator control 331with p verified
Recent network scans and internal audits have identified an uptick in sessions involving Remote Administrator Control (RAC) port 331 returning a status of "P Verified" (Password Verified). If you see rac 331 with p verified
While this status indicates a successful authentication handshake, it also represents a critical security juncture. This post outlines what RAC 331 is, the meaning of "P Verified," and the immediate steps required to secure your environment. The "331with p verified" is unusual for standard
Several tools use the term:
The "331with p verified" is unusual for standard RAC protocols. 331 is standard FTP, not RAC. Could be a customized or incorrectly parsed log.
In the log output rac 331 with p verified, the "P" typically refers to Password (or occasionally Phone/2FA token).