Snort mailing list archives

Re: rpc.statd

From: LEFEVRE David <David.LEFEVRE () cardif fr>
Date: Wed, 06 Jun 2001 09:44:42 +0200

You should look for Cybercop or Nessus Security scanning tool.
I use it to improve security of my net, it runs well. It also has a
"nmap plugin".

For an exemple :
Vulnerability found on port unknown (669/tcp)

The remote statd service could be brought down
with a format string attack - it now needs to
be restarted manually.

This means that an attacker may execute arbitrary
code thanks to a bug in this daemon.

Solution : upgrade to the latest version of rpc.statd
Risk factor : High
see CVE : CVE-2000-0666 (http://cgi.nessus.org/cve.php3?cve=CVE-2000-0666)

Best regards,
David

skop d'skop wrote:

hi guys,
come across this alert lately for my network

[**] IDS10 - RPC - portmap-request-rstatd [**]

May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP
May 20 11:25:15 A.B.C.80:3351 -> X.Y.Z.12:111 SYN ******S*
May 20 11:25:15 A.B.C.80:3352 -> X.Y.Z.13:111 SYN ******S*
May 20 11:25:16 208.131.80.80:727 -> X.Y.Z.13:111 UDP

and i'm wondering what kind of scanning / tool that trigger this alert.

i 've done with #rpcinfo -p hostname and #nmap -sU -sR  hostname , yet no similiar output.

-skop
___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
David LEFEVRE
CARDIF - Architecture et Sécurité Opérationnelle
david.lefevre () cardif fr - Tél : 01 41 42 76 63


**********************************************************************
L'intégrité de ce message n'étant pas assurée sur Internet,
CARDIF ne peut être tenu responsable de son contenu.
Si vous n'êtes pas destinataire de ce message confidentiel,
Merci de le détruire et  d'avertir immédiatement l'expediteur.

The integrity of this message cannot be guaranteed on the
Internet. CARDIF can not therefore be considered responsible 
for the contents. 
If you are not the intended recipient of this confidential message,
then please delete it and notify immediately the sender.

**********************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

rpc.statd skop d'skop (Jun 05)
- Re: rpc.statd LEFEVRE David (Jun 06)
- <Possible follow-ups>
- Re: rpc.statd skop d'skop (Jun 06)
  - Re: rpc.statd Colin Wu (Jun 06)