port 80 and sunrpc (111)

[Robert <webmaster () hisgate org>]

Hello everyone:

We are not really adding to the thread here (so I hope we don't get 
flamed). It is simply that there is no other group we trust for *solid* 
information on topics dealing with security issues.

Since about a week after this CodeRed thing started, everytime our mail 
client checks our email accounts now our firewall tells us "A remote system 
is attempting access" gives the IP address ( not usually the same) of the 
remote system ect, and tells us that some are attempting to connect to us 
through port80 while others seem to be trying "sunrpc" on port 111 (of 
course we deny the access). In the log we see that it is "Inbound TCP 
connection".

It comes almost always just after checking the mail. No matter what time 
interval we have set for the mail check. I thought maybe it was my 
imagination at first, so I basically ignored it.

We are connected to a ISP whereby we can usually just sign back on and that 
changes the IP address and all is fine, we go on with our work as usual.

But it seems as time has progressed after "CodeRed" came out, that we are 
finding fewer and fewer IP addresses where we are left alone. It really 
isn't a major problem (since we have a firewall from one of the best 
companies in the business) we are really in no danger. It is more like a 
mosquito (pesky until swated). Sometimes, however it seems to actually 
cause our system to crash and restart itself.

We wanted to know if anyone has any ideas how we can stop this annoyance 
all together?

Thanks,
Robert


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com