Security Incidents mailing list archives
Re: just how much sunrpc scanning is normal?
From: nathan () MMIND NET (Nathan Nichols)
Date: Sat, 26 Feb 2000 01:03:31 -0600
I used to get quite a bit of portmap connection attempt activity as well. The machine in question is a web mirror server, and until I dropped our Linuxberg mirror, it got a lot of strange activity. After I dropped that site, connection attempts and port scans went way down. I recognized one of the hosts in the log section you posted. (turbo.rdb.co.jp, which is 210.162.153.22). Jan 1 18:20:35 subzero portmap[11616]: connect from 210.162.153.22 to dump(): request from unauthorized host Jan 1 18:20:36 subzero portmap[11624]: connect from 210.162.153.22 to dump(): request from unauthorized host Jan 1 18:20:37 subzero portmap[11632]: connect from 210.162.153.22 to dump(): request from unauthorized host Jan 1 18:20:37 subzero portmap[11640]: connect from 210.162.153.22 to dump(): request from unauthorized host Jan 1 18:20:38 subzero portmap[11648]: connect from 210.162.153.22 to dump(): request from unauthorized host Jan 1 18:20:38 subzero portmap[11656]: connect from 210.162.153.22 to dump(): request from unauthorized host Jan 1 18:20:41 subzero portmap[11665]: connect from 210.162.153.22 to dump(): request from unauthorized host ----- Nathan Nichols Unix Systems Administrator MasterMind Internet Services ----- Original Message ----- From: "Jon Burdge" <jburdge () AVENTAIL COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Thursday, February 24, 2000 6:07 PM Subject: just how much sunrpc scanning is normal?
I've been seeing a lot of scanning on my machines for open sunrpc ports.
I
always try to notify the admin of the machine that scanned me, as it's
been
my experience it's usually just a staging point for some script kitty.
The
reason I'm writing this is I'd like to know..is this amount of activity normal? Here's the logs from one of my machines. This isn't a high
profile
site or anything. Dec 16 17:22:28 sol tcplogd[458]: sunrpc connection from @mangle.atsi.net:758 Dec 25 20:07:33 sol tcplogd[12185]: sunrpc connection from 38.193.155.121:16541 Jan 1 17:49:49 sol tcplogd[3386]: sunrpc connection from turbo.rdb.co.jp:2666 Jan 4 12:34:02 sol tcplogd[7061]: sunrpc connection from
@210.107.65.65:955
Jan 27 08:56:39 sol tcplogd[13530]: sunrpc connection from cx674799-a.irvn1.occa.home.com:2488 Feb 6 14:02:02 sol tcplogd[2262]: sunrpc connection from @211.40.176.241:871 Feb 8 20:49:27 sol tcplogd[4843]: sunrpc connection from
@209.24.82.10:753
Feb 13 03:08:21 sol tcplogd[9229]: sunrpc connection from ms3.riverview.net:852 Feb 16 09:55:00 sol tcplogd[1034]: sunrpc connection from @dns.sumitomo-fh.co.jp:31391 Feb 20 23:02:55 sol tcplogd[10300]: sunrpc connection from @www.4quest.com:884 Is it just I never realized how common this scanning was? Is this a
feature
of some automated scanning/exploitation script out there? jlb.
Current thread:
- rooted with lots of files in /dev/sdc0/.nfs01 Jeff Macdonald (Feb 23)
- Slow scan on port 109 (pop2/kpop) Keith Owens (Feb 24)
- just how much sunrpc scanning is normal? Jon Burdge (Feb 24)
- Re: just how much sunrpc scanning is normal? Missouri FreeNet Administration (Feb 25)
- Re: just how much sunrpc scanning is normal? Jon Lewis (Feb 25)
- Re: just how much sunrpc scanning is normal? Nathan Nichols (Feb 25)
- Re: just how much sunrpc scanning is normal? Chris Brenton (Feb 26)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Ken Lyon (Feb 24)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Marianovich Felix (Feb 25)