Security Incidents mailing list archives

Re: Crazy port 111 scans

From: "Reeves, Mike" <MReeves () SYNCHRONY NET>
Date: Tue, 6 Feb 2001 13:31:48 -0500

Looks like it was the redhat 6.2 exploit of statd. someone snuck a box on
the external segment and didn't think I would find it. Well it got
compromised at 5:30 am EST. Looks like the script kiddies are going wild.

Thanks for everyones help

Mike

-----Original Message-----
From: Tyrannis Von Nettesheim [mailto:tyrannis () wwc com]
Sent: Tuesday, February 06, 2001 1:09 PM
To: Reeves, Mike
Cc: incidents () securityfocus com
Subject: RE: Crazy port 111 scans



Curious... In looking at the advertised window size from this host, it's
32120, which is exactly the MSS value <1460, or one packet> below the
default Solaris 2.6 and lower revision window size, which I believe is
33580. The DF <Don't Fragment> bit is set as well, another Solaris/Sun
non-Sun3 default setting.

Weird - it's almost like that host <host181.visualsoft-usa.com and other
bogus IP's> had something perpetually in it's buffer it couldn't flush, or
what did this was a piece of bad monolithic coding.

-T



-----Original Message-----
From: Reeves, Mike [mailto:MReeves () SYNCHRONY NET]
Sent: Monday, February 05, 2001 5:27 PM
Subject: Crazy port 111 scans


I have had more 111 scans this past 5 days than in the last 2 months. Is
there some new RPC exploit or something?

Anyone else seeing these hosts?

18:22:00.911324 host181.visualsoft-usa.com.1645 > My.network.com.111: S
402285810:402285810(0) win 32120 (DF)
02/05/01 13:47:55.277351 12.31.6.3.2064 > My.network.com.sunrpc: S
33416796:33416796(0) win 32120 (DF)
 02/05/01 14:29:14.683800 211.38.138.9.1162 > My.Network.com.sunrpc: S
461989038:461989038(0) win 32120
02/02/01 19:48:06.869293 adsl-27-8.owt.com.2005 > My.network.com.sunrpc: S
4034763275:4034763275(0) win 32120 (DF)
02/02/01 23:51:50.661684 62.65.2.71.2607 > My.network.com.sunrpc: S
3918117478:3918117478(0) win 32120 (DF)
02/03/01 04:03:38.658691 ns.ilemex.com.mx.2997 > My.network.com.sunrpc: S
1478508650:1478508650(0) win 32120 (DF)
02/03/01 11:13:36.380162 211.38.138.9.2476 > My.network.com.sunrpc: S
3191203248:3191203248(0) win 32120 (DF)
02/03/01 18:27:46.742232 196.12.47.172.2954 > My.network.com.sunrpc: S
820917967:820917967(0) win 32120 (DF)
02/04/01 18:22:00.915583 63.102.65.181.1649 > My.network.com.sunrpc: S
407442869:407442869(0) win 32120 (DF)
02/04/01 18:51:51.514082 66.35.6.50.2999 > My.Network.com.sunrpc: S
817945587:817945587(0) win 32120 (DF)




Mike K. Reeves
Networking Services Engineer,
Synchrony Communications, Inc.
MCSE Microsoft Certified System Eliminator
"Geek by nature... Linux By Choice..."

Current thread:

Re: DNS server crashed, (continued)
- - - Re: DNS server crashed Greg A. Woods (Feb 07)
    - Re: DNS server crashed Jeremy Hanmer (Feb 06)
    - Re: DNS server crashed Steve Stearns (Feb 06)
    - Re: DNS server crashed Graphic Rezidew (Feb 06)
    - Re: DNS server crashed Jason Lewis (Feb 07)
    - Re: DNS server crashed karthik krishnamurthy (Feb 06)
    - Re: DNS server crashed Andrei MURESAN (Feb 07)
    - Re: DNS server crashed Max Gribov (Feb 07)
    - Re: DNS server crashed Bryan Bradsby (Feb 10)
- Re: Crazy port 111 scans Tyrannis Von Nettesheim (Feb 06)
- Re: Crazy port 111 scans Reeves, Mike (Feb 06)
- Re: Crazy port 111 scans Reeves, Mike (Feb 07)
  - Bad Referrals? Derek Kwan (Feb 07)
    - Re: Bad Referrals? Chip McClure (Feb 07)
    - Re: Bad Referrals? Derek Kwan [321844] (Feb 07)
    - Re: Bad Referrals? Valdis Kletnieks (Feb 10)