Security Incidents mailing list archives

Re: anyone else seen an increase in sunrpc scans these days?

From: Niels Heinen <niels.heinen () UBIZEN COM>
Date: Mon, 15 Jan 2001 02:08:24 +0100

Alex Popa wrote:

In the last five days, the port scans to my entire class C have dramatically
increased, from one per two days on average, to four yesterday and six today.

Is there a new exploit around, or is there some sort of new worm out there?

I might just be paranoid, but here are the addreses that have been looking
for port 111 in the last 26 hours:

24.26.121.156
24.168.66.119
64.31.226.156
142.169.227.102
193.226.15.15
211.218.144.11

------------+------------------------------------------
Alex Popa,  |  "Artificial Intelligence is
razor () ldc ro|         no match for Natural Stupidity"
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."


There are several automated rpc hacking tools circulating in the underground.
Most of them are modfied statdx.c exploits
with rpc scanners. The scanner keeps a record of hosts found with rpc enabled
and this list is used by the modified statdx
which will try to exploit them. It might be possible that some script kiddie is
using it against you not realising how noisy
these tools are.

Greets,

Niels

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- - - Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- Re: anyone else seen an increase in sunrpc scans these days? Mihai Moldovanu (Jan 15)
  - FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
    - Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)
    - Re: FTP and RPC based worms [was anyone else ...] Steve Clement (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? thomas lakofski (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Niels Heinen (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Edward Mitchell (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Timothy Lyons (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Alfred Huger (Jan 15)
  - Rise in rpc scans - Honeynet Project Lance Spitzner (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Ed Woodson (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? James Bryan (Jan 15)