Security Incidents mailing list archives
Re: Lots of rpc.statd probes lately
From: James Paterson <jpaterson () DATAMIRROR COM>
Date: Thu, 1 Mar 2001 14:18:24 -0500
-- snip eventually all the boxes that can be exploited will be exploited and the number of scans should begin tapering off as some of the compromised boxes are fixed. -- snip I would suggest quite the opposite, I am sure that the number of exploitable boxes being added every minute by far exceeds those that are properly secured, and the number of machines being connected to the net is not doing down. Which is why we have to spread the word and educate people about securing their systems, before the Internet melts through heat death caused by SK's using nmap ;). -----Original Message----- From: Steve Stearns [mailto:sterno () BIGBROTHER NET] Sent: Thursday, March 01, 2001 1:10 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Lots of rpc.statd probes lately Frank Louwers wrote:
The last 2 weeks, I've seen a HUGE increase in rpc.statd probes. Any new exploits around? Frank
The system I run is a relatively low profile system (linux box hooked up to a DSL line with just my low traffic website on it). So, my assumption is that almost all of the rpc probes I see are from sequential searches of IP addresses. Since February 12th I have seen 73 unique rpc probes on my system making for an average of just over 4 probes a day (and it seems like it's been increasing lately). Not a lot in the grand scheme of things, but considering that this is almost all from sequential scanning, it seems like a whole lot to me. By contrast, a few months ago I was maybe getting 3 probes a week (and that's all kinds of probes, not just RPC). So I've seen at least an order of magnitude increase (using my relatively unscientific measurements). I think that the big increases aren't so much attributed to new exploits, but rather that as vulnerable boxes are exploited, they increase the number of overall scans resulting in more exploits, wash, rinse, repeat. On the bright side, eventually all the boxes that can be exploited will be exploited and the number of scans should begin tapering off as some of the compromised boxes are fixed. ---Steve
Current thread:
- Lots of rpc.statd probes lately Frank Louwers (Mar 01)
- Re: Lots of rpc.statd probes lately Steve Stearns (Mar 01)
- <Possible follow-ups>
- Re: Lots of rpc.statd probes lately James Paterson (Mar 01)
- Re: Lots of rpc.statd probes lately Justin Shore (Mar 01)
- Re: Lots of rpc.statd probes lately Joseph Nicholas Yarbrough (Mar 02)