Security Incidents mailing list archives
RE: increase in scans for RPC
From: Dan Irwin <dan () jackies com au>
Date: Thu, 21 Mar 2002 10:28:31 +1000
I have noticed an increase in RPC scanning. The vast mojority of the machines probing me appear to be default installations of Redhat Linux 6.2 on Asian Networks. I set up a honeypot to try to catch some of this traffic. Within 6 hours of going online, my honeypot had an RPC scanning worm. The worm (Whos name i do not know) lives in /dev/ida/.inet/, and installs a modified ps (among others), scans a class A for sunrpc servers, and puts the ethernet interface into promiscuous mode to sniff passwords with linsniffer. I believe the worm exploits the rpc.statd service included with rh6.2. A Quick search on google reveals this worm has been seen before, so its nothing new :) Dan. -- Dan Irwin - Systems Administrator Jackie's Wholesale Nurseries Pty Ltd Email: dan () jackies com au Phone: 07 3888 2481 Fax: 07 3888 2530 Postal: 10 Gleeson Road Burpengary Queensland 4505 Email: info () jackies com au Web: http://www.jackies.com.au -----Original Message----- From: Todd Suiter [mailto:todd () s4r com] Sent: Wednesday, 20 March 2002 10:12 AM To: incidents () securityfocus com Cc: Todd Suiter Subject: increase in scans for RPC Folks, We've seen a dramatic increase in syn scans against tcp 111, went from a couple a week to over 11,000 in the past week. Has anyone else seen an increase like this? Is there yet another new tool out, or is this looking for one of the older 'sploits? is this rpc.cmsd? t ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- increase in scans for RPC Todd Suiter (Mar 19)
- <Possible follow-ups>
- RE: increase in scans for RPC Dan Irwin (Mar 20)