Security Incidents mailing list archives
Re: just how much sunrpc scanning is normal?
From: cbrenton () SOVER NET (Chris Brenton)
Date: Sat, 26 Feb 2000 06:57:10 -0500
Jon Burdge wrote:
I've been seeing a lot of scanning on my machines for open sunrpc ports. I always try to notify the admin of the machine that scanned me, as it's been my experience it's usually just a staging point for some script kitty. The reason I'm writing this is I'd like to know..is this amount of activity normal?
Based on the number of "I just received an RPC scan, now they are trying to break in" reports I've seen over at GIAC, no amount of RPC scanning should be considered "normal". I can't remember seeing a single report that was "never mind, the RPC scan was a false alarm".
Is it just I never realized how common this scanning was? Is this a feature of some automated scanning/exploitation script out there?
Absolutely. Most DDoS tools appear to be automated. This is why they are able to spread so quickly and infect so many hosts. Seems RPC and named are the two most popular points of attempted entry. HTH, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- rooted with lots of files in /dev/sdc0/.nfs01 Jeff Macdonald (Feb 23)
- Slow scan on port 109 (pop2/kpop) Keith Owens (Feb 24)
- just how much sunrpc scanning is normal? Jon Burdge (Feb 24)
- Re: just how much sunrpc scanning is normal? Missouri FreeNet Administration (Feb 25)
- Re: just how much sunrpc scanning is normal? Jon Lewis (Feb 25)
- Re: just how much sunrpc scanning is normal? Nathan Nichols (Feb 25)
- Re: just how much sunrpc scanning is normal? Chris Brenton (Feb 26)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Ken Lyon (Feb 24)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Marianovich Felix (Feb 25)