Security Incidents mailing list archives
Re: anyone else seen an increase in sunrpc scans these days?
From: Derek Kwan <dkwan () KWAN CA>
Date: Mon, 15 Jan 2001 14:54:38 -0500
Yes I have seen alot of sunrpc scan on my cable modem too. Since Jan 1, 2001 I get appx 3-4 sunrpc scan daily. Here are a list of IPs for sunrpc scan on my server since 1 Jan 2001. 216.128.39.125 208.35.4.25 216.253.248.140 24.108.84.147 24.70.222.168 24.22.169.216 24.167.61.7 152.101.127.222 211.172.14.13 211.75.16.178 160.78.31.151 211.100.8.165 211.5.191.200 64.2.219.110 Also there is a scan from 24.0.0.203 (authorized-scan1.security.home.net) on port 119 atleast 2-3 times daily too. Does other cable modem user have a similiar scan on their machine? \|/ _____ \|/ *************************************************** "@'/ , . \`@" This e-mail is send with 100% recyclable electrons. /_| \___/ |__\ *************************************************** \___U_/ Derek () KWAN ca On Sun, 14 Jan 2001, Steve Buttgereit wrote:
I'm beginning see a lot, too. All different IPs though. I'm also seeing a lot of scans in my snort log that follow this pattern: FIN scan to port 111 --> RPC Info. Query --> RPC portmap-request status --> Shellcode x86 NOPS. It all started about a week ago. SCB -----Original Message----- From: Jason Lewis [mailto:jlewis () JASONLEWIS NET] Sent: Sunday, January 14, 2001 10:20 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: anyone else seen an increase in sunrpc scans these days? I couldn't find any of those addresses, but I have similar scans in my logs. 63.91.6.36 64.32.209.213 64.21.114.2 66.22.62.2 216.98.160.251 Last 24 hours....all the above IP's are looking for Sun RPC. jas http://www.rivalpath.com -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Alex Popa Sent: Sunday, January 14, 2001 7:26 PM To: INCIDENTS () SECURITYFOCUS COM Subject: anyone else seen an increase in sunrpc scans these days? In the last five days, the port scans to my entire class C have dramatically increased, from one per two days on average, to four yesterday and six today. Is there a new exploit around, or is there some sort of new worm out there? I might just be paranoid, but here are the addreses that have been looking for port 111 in the last 26 hours: 24.26.121.156 24.168.66.119 64.31.226.156 142.169.227.102 193.226.15.15 211.218.144.11 ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor () ldc ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here."
Current thread:
- Re: anyone else seen an increase in sunrpc scans these days? Ray Simard (Jan 15)
- <Possible follow-ups>
- Re: anyone else seen an increase in sunrpc scans these days? Steve Buttgereit (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Derek Kwan (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Brian Taylor (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Matthew Hallacy (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Devdas Bhagat (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 15)
- sunrpc / wu-ftpd worm ? Mihai Moldovanu (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Digital Overdrive (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Nathan W. Lindstrom (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)