Security Incidents mailing list archives
Re: just how much sunrpc scanning is normal?
From: jlewis () LEWIS ORG (Jon Lewis)
Date: Sat, 26 Feb 2000 00:00:53 -0500
On Thu, 24 Feb 2000, Jon Burdge wrote:
Dec 16 17:22:28 sol tcplogd[458]: sunrpc connection from @mangle.atsi.net:758
$ telnet mangle.atsi.net 79 Trying 204.57.111.227... Connected to mangle.atsi.net. Escape character is '^]'. own Login: own Name: Directory: / Shell: /bin/bash Never logged in. No mail. No Plan. Connection closed by foreign host. That's a very bad sign.
Feb 8 20:49:27 sol tcplogd[4843]: sunrpc connection from @209.24.82.10:753 Feb 13 03:08:21 sol tcplogd[9229]: sunrpc connection from ms3.riverview.net:852 Feb 20 23:02:55 sol tcplogd[10300]: sunrpc connection from @www.4quest.com:884
Generally any scans that come from low ports are either rooted systems or a hacker/scanner's system dialed into the net. That one above with the own account is almost certainly hacked. The fact that it scanned you in December and still has the own account doesn't say much for them.
Is it just I never realized how common this scanning was? Is this a feature of some automated scanning/exploitation script out there?
The common MO seems to be: 1) hack a box 2) install automated scanning tools 3) come back later, see what it found hack them 4) goto 2 ---------------------------------------------------------------------- Jon Lewis *jlewis () lewis org*| Spammers will be winnuked or System Administrator | nestea'd...whatever it takes Atlantic Net | to get the job done. _________http://www.lewis.org/~jlewis/pgp for PGP public key__________
Current thread:
- rooted with lots of files in /dev/sdc0/.nfs01 Jeff Macdonald (Feb 23)
- Slow scan on port 109 (pop2/kpop) Keith Owens (Feb 24)
- just how much sunrpc scanning is normal? Jon Burdge (Feb 24)
- Re: just how much sunrpc scanning is normal? Missouri FreeNet Administration (Feb 25)
- Re: just how much sunrpc scanning is normal? Jon Lewis (Feb 25)
- Re: just how much sunrpc scanning is normal? Nathan Nichols (Feb 25)
- Re: just how much sunrpc scanning is normal? Chris Brenton (Feb 26)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Ken Lyon (Feb 24)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Marianovich Felix (Feb 25)