Security Incidents mailing list archives
Re: I was scaned
From: OFriedrichs () SECURITY-FOCUS COM (Oliver Friedrichs)
Date: Fri, 21 Jan 2000 15:21:21 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.10:111 L=40 S=0x00 I=62128 F=0x0000 T=238 .... Any idea what is it? New sunrpc xploit in the wild?
They're looking for any hosts have have a reachable portmapper. From there they can query all available RPC services and look for vulnerabilities in these. Since virtually any RPC service ever written has had a security vulnerability in it, this sounds accurate. Make sure you are not only blocking port 111, but also privileged TCP/UDP ports, and TCP/UDP ports in the 32000-33000 port range, since Solaris has many RPC services listening on ports in those ranges by default. The portmapper isn't required to access an RPC service, since you can find services simply by port scanning, and iterating through known service numbers. - - Oliver securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOIjoysm4FXxxREdXEQLffwCgnxskA0KnlxsRXSbR5+SNwKwQbq0An3nD hMZVDnT92eMTOW1k7ipNZ1af =f7bh -----END PGP SIGNATURE-----
Current thread:
- Re: I was scaned Oliver Friedrichs (Jan 21)
- <Possible follow-ups>
- Re: I was scaned Larry W. Cashdollar (Jan 24)