Snort mailing list archives
Re: rpc.statd
From: Colin Wu <wucolin () mcmaster ca>
Date: Wed, 06 Jun 2001 12:31:21 -0400
This looks like someone looking for sunrpc portmapper, which listens on both TCPand UDP port 111. There is nothing really magical about ports <1024. It's just a convention that "ephemeral" ports are chosen from above 1023. On Unix boxes only the super-user (usually root) can actually open a source port <1024, but on Windows and DOS boxes (and probably Macintosh) nothing prevents it. skop d'skop wrote:
Thanks David, But what I wonder this pattern. May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S* May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP First it looks for SYN ( which is TCP Flag) then it looks for UDP Protocol. For UDP, the source port is below < 1024. Plus is there anything abt source port < 1024 ( isn't that abnormal ?) scanning to some destination to destination port < 1024 (normal) Thanks -skop -----Original Message----- From: LEFEVRE David David.LEFEVRE () cardif fr Sent: Wed, 06 Jun 2001 09:44:42 +0200 To: skop () visto com CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] rpc.statd You should look for Cybercop or Nessus Security scanning tool. I use it to improve security of my net, it runs well. It also has a "nmap plugin". For an exemple : Vulnerability found on port unknown (669/tcp) The remote statd service could be brought down with a format string attack - it now needs to be restarted manually. This means that an attacker may execute arbitrary code thanks to a bug in this daemon. Solution : upgrade to the latest version of rpc.statd Risk factor : High see CVE : CVE-2000-0666 (http://cgi.nessus.org/cve.php3?cve=CVE-2000-0666) Best regards, David skop d'skop wrote:hi guys, come across this alert lately for my network [**] IDS10 - RPC - portmap-request-rstatd [**] May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S* May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP May 20 11:25:15 A.B.C.80:3351 -> X.Y.Z.12:111 SYN ******S* May 20 11:25:15 A.B.C.80:3352 -> X.Y.Z.13:111 SYN ******S* and i'm wondering what kind of scanning / tool that trigger this alert. i 've done with #rpcinfo -p hostname and #nmap -sU -sR hostname , yet no similiar output. -skop ___________________________________________________________________________ Visit http://www.visto.com/info, your free web-based communications center. Visto.com. Life on the Dot. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- David LEFEVRE CARDIF - Architecture et Sécurité Opérationnelle david.lefevre () cardif fr - Tél : 01 41 42 76 63 ___________________________________________________________________________ Visit http://www.visto.com/info, your free web-based communications center. Visto.com. Life on the Dot. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
__ _ _ Network Analyst
/ ) // ' ) / Computing & Information Services
/ __|/ o ____ / / / . . McMaster University
(__/ (_) \_<_/ / <_ (_(_/ (_/_ (905)525-9140 ext 24050
http://netman.McMaster.CA
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rpc.statd skop d'skop (Jun 05)
- Re: rpc.statd LEFEVRE David (Jun 06)
- <Possible follow-ups>
- Re: rpc.statd skop d'skop (Jun 06)
- Re: rpc.statd Colin Wu (Jun 06)