Re: RPC files

["ga" <duncan () multimania org>]

Re,

> I thought I'd post this as an example of how to track down an errant RPC
> service for which no /etc/rpc entry exists:
>
> % rpcinfo -p localhost
>    program vers proto   port
> [..]
> 1342177279    3   tcp   1027
> 1342177279    1   tcp   1027
> % lsof | egrep "inet " | egrep 1027 | egrep LISTEN
> ttsession   573      pg    4u  inet 0x2947bf00                0t0     TCP
> *:1027 (LISTEN)

According to rfc 1831:       

       0 - 1fffffff   defined by rpc () sun com
       20000000 - 3fffffff   defined by user
       40000000 - 5fffffff   transient
       60000000 - 7fffffff   reserved
       80000000 - 9fffffff   reserved
       a0000000 - bfffffff   reserved
       c0000000 - dfffffff   reserved
       e0000000 - ffffffff   reserved

So we can't really trace rpc programs id above 0x1ffffff unfortunately...

However, I don't know if this would be in the scope of nmap but it's easy
to code a portmap_dump() call on port 111 (||32771 and above) if it's
opened and then it would automatically give away the portmapper list.
Anyway, this port is usually filtered so it's not worth doing that.

Also, I received the answer from Sun about the official rpc list (thanks
for their quick answer):

> We have not yet distributed the list of RPC registrations, but do
> intend to do so.  I will add your name to the list of people to be
> notified when this occurs.  

Hope it won't take too long.. but it's surprising that there are still not
an official rpc program list.

                                                ga