Security Incidents mailing list archives
Re: funky syslog entry
From: Valdis.Kletnieks () VT EDU (Valdis Kletnieks)
Date: Tue, 27 Jun 2000 19:02:26 -0400
On Mon, 26 Jun 2000 17:44:25 EDT, klug <klug () KLUG CX> said:
While searching through syslog entries I found this little tid bit. Others and I, believe its some sort of scan. Any ideas are welcome.
Jun 24 14:39:10 * portmap[27279]: connect from 193.40.245.45 to dump(): request from unauthorized host
Somebody did an 'rpcinfo -p' against you. ;)
This is pretty stock first-thing if you';re about to try any of the many
rpc.* exploits - you need to get the port number first, and portmap is
made for that..
Theory of operation:
1) Contact portmap, get the service->port mappings.
2) Launch rpc.cmsd, rpc.ttdbserver, rpc.frobozzz exploit at the proper port.
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
Current thread:
- Re: stranger ftp kill, (continued)
- Re: stranger ftp kill jose (Jun 26)
- Re: Connections to port 635 ?? Ben Laws (Jun 23)
- Re: Connections to port 635 ?? Robert Graham (Jun 23)
- Nike Site taken over F_SecurityList Jo (Jun 21)
- Re: Nike Site taken over Steve (Jun 22)
- Re: Nike Site taken over Ex Machina (Jun 22)
- Re: Nike Site taken over Joel de la Garza (Jun 23)
- Re: Nike Site taken over Aviram Jenik (Jun 24)
- Re: Nike Site taken over Valdis Kletnieks (Jun 26)
- funky syslog entry klug (Jun 26)
- Re: funky syslog entry Valdis Kletnieks (Jun 27)
- Re: funky syslog entry Jens Hektor (Jun 27)
- Re: funky syslog entry Erich Meier (Jun 28)
- Re: funky syslog entry Sean Michael Whipkey (Jun 28)
- blind forwards Keith McCammon (Jun 28)
- Re: blind forwards Ex Machina (Jun 29)
- Re: blind forwards Brock Norvell (Jun 29)
- Re: blind forwards John Hall (Jun 29)
- Re: blind forwards David Pick (Jun 30)
- Re: funky syslog entry UnixGeek (Jun 29)
- Re: funky syslog entry Chris West (Jun 29)