Security Incidents mailing list archives
Re: Strange RPC? service entries.
From: peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)
Date: Mon, 13 Mar 2000 10:24:05 +0100
On Thu, 9 Mar 2000, Tony Molloy wrote:
Recently I've lots of messages like the following appearing in several of my server logs. Several megabytes a day each. Mar 8 18:57:33 server portmap[24722]: connect from xxx.xxx.xxx.xxx to callit(300214): request from unauthorized host Mar 9 07:59:44 server portmap[14761]: connect from xxx.xxx.xxx.xxx to callit(390109): request from unauthorized host
AFAIK, 390109 is "nsrstat" where "nsr" stands for Legato Networker (also known as Solstice Backup). I know nothing certain 300214. A fuzzy reference I found in one of FreeBSD lists suggests this service might be related to FrameMaker. There should be a registry of these numbers maintained by Sun but I do not know how one could access it (besides the tiny portion in /etc/rpc). BTW: From what I have seen, various people have been complaining about these probes for a year. I smell a problem. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: UDP flood 28001-28003 Rainer Weikusat (Mar 08)
- <Possible follow-ups>
- Re: UDP flood 28001-28003 Andrew Badr (Mar 08)
- Strange RPC? service entries. Tony Molloy (Mar 09)
- Re: Strange RPC? service entries. Pavel Kankovsky (Mar 13)
- Re: UDP flood 28001-28003 Ian A (Mar 09)
- Re: UDP flood 28001-28003 George (Mar 09)
- 12th Annual FIRST conference Elias Levy (Mar 11)
- odd icmp broadcast scan Jon Lewis (Mar 12)
- Strange RPC? service entries. Tony Molloy (Mar 09)