Security Incidents mailing list archives
Re: Crazy port 111 scans
From: "Reeves, Mike" <MReeves () SYNCHRONY NET>
Date: Tue, 6 Feb 2001 13:31:48 -0500
Looks like it was the redhat 6.2 exploit of statd. someone snuck a box on the external segment and didn't think I would find it. Well it got compromised at 5:30 am EST. Looks like the script kiddies are going wild. Thanks for everyones help Mike -----Original Message----- From: Tyrannis Von Nettesheim [mailto:tyrannis () wwc com] Sent: Tuesday, February 06, 2001 1:09 PM To: Reeves, Mike Cc: incidents () securityfocus com Subject: RE: Crazy port 111 scans Curious... In looking at the advertised window size from this host, it's 32120, which is exactly the MSS value <1460, or one packet> below the default Solaris 2.6 and lower revision window size, which I believe is 33580. The DF <Don't Fragment> bit is set as well, another Solaris/Sun non-Sun3 default setting. Weird - it's almost like that host <host181.visualsoft-usa.com and other bogus IP's> had something perpetually in it's buffer it couldn't flush, or what did this was a piece of bad monolithic coding. -T -----Original Message----- From: Reeves, Mike [mailto:MReeves () SYNCHRONY NET] Sent: Monday, February 05, 2001 5:27 PM Subject: Crazy port 111 scans I have had more 111 scans this past 5 days than in the last 2 months. Is there some new RPC exploit or something? Anyone else seeing these hosts? 18:22:00.911324 host181.visualsoft-usa.com.1645 > My.network.com.111: S 402285810:402285810(0) win 32120 (DF) 02/05/01 13:47:55.277351 12.31.6.3.2064 > My.network.com.sunrpc: S 33416796:33416796(0) win 32120 (DF) 02/05/01 14:29:14.683800 211.38.138.9.1162 > My.Network.com.sunrpc: S 461989038:461989038(0) win 32120 02/02/01 19:48:06.869293 adsl-27-8.owt.com.2005 > My.network.com.sunrpc: S 4034763275:4034763275(0) win 32120 (DF) 02/02/01 23:51:50.661684 62.65.2.71.2607 > My.network.com.sunrpc: S 3918117478:3918117478(0) win 32120 (DF) 02/03/01 04:03:38.658691 ns.ilemex.com.mx.2997 > My.network.com.sunrpc: S 1478508650:1478508650(0) win 32120 (DF) 02/03/01 11:13:36.380162 211.38.138.9.2476 > My.network.com.sunrpc: S 3191203248:3191203248(0) win 32120 (DF) 02/03/01 18:27:46.742232 196.12.47.172.2954 > My.network.com.sunrpc: S 820917967:820917967(0) win 32120 (DF) 02/04/01 18:22:00.915583 63.102.65.181.1649 > My.network.com.sunrpc: S 407442869:407442869(0) win 32120 (DF) 02/04/01 18:51:51.514082 66.35.6.50.2999 > My.Network.com.sunrpc: S 817945587:817945587(0) win 32120 (DF) Mike K. Reeves Networking Services Engineer, Synchrony Communications, Inc. MCSE Microsoft Certified System Eliminator "Geek by nature... Linux By Choice..."
Current thread:
- Re: DNS server crashed, (continued)
- Re: DNS server crashed Greg A. Woods (Feb 07)
- Re: DNS server crashed Jeremy Hanmer (Feb 06)
- Re: DNS server crashed Steve Stearns (Feb 06)
- Re: DNS server crashed Graphic Rezidew (Feb 06)
- Re: DNS server crashed Jason Lewis (Feb 07)
- Re: DNS server crashed karthik krishnamurthy (Feb 06)
- Re: DNS server crashed Andrei MURESAN (Feb 07)
- Re: DNS server crashed Max Gribov (Feb 07)
- Re: DNS server crashed Bryan Bradsby (Feb 10)
- Re: Crazy port 111 scans Tyrannis Von Nettesheim (Feb 06)
- Re: Crazy port 111 scans Reeves, Mike (Feb 06)
- Re: Crazy port 111 scans Reeves, Mike (Feb 07)
- Bad Referrals? Derek Kwan (Feb 07)
- Re: Bad Referrals? Chip McClure (Feb 07)
- Re: Bad Referrals? Derek Kwan [321844] (Feb 07)
- Re: Bad Referrals? Valdis Kletnieks (Feb 10)
- Bad Referrals? Derek Kwan (Feb 07)