Re: What's this a probe for?

[coldfire () SHADY ORG (Cold Fire)]

On Thu, Feb 17, 2000 at 05:10:51PM -0800, Robert Graham wrote:
> I don't think so, but I think it is related.
>
> The DDoS floods came from Sun servers that were compromised by RPC services
> like cmsd, toolktalk, statd, etc. These services usually run on dynamically
> assigned port numbers, and you discover which by sending a request to the
> portmapper service at port 111.
>
> However, Sun machine start allocating their dynamic port assignments at
> around 32771. A probe for 32773 means that the hacker is hoping that you (or
> others in your address range have a sun workstation, and that the exploit
> he/she is scanning for runs at port 32773. On my machine, cachefsd is
> running at that port. I am not aware of any attacks against that service. My
> guess is that on the hacker's machine, cmsd is running at that port, and
> he/she is scanning the Internet for similarly configured machines.

As rpcports are dynamically asigned the chances of the same service running
on the same port on several machines is pretty slim (although there are a few
exdeptions, notably nfsd). The only reason to try and connect directly to
these ports would be if the target was  blocking port 111. As the attack
seems to have been directed at a single port a scan for rpc services is
unlikely. However early versions of Solaris (2.5.1 and earlier) ran
an undocumented UDP portmapper service on ports higher than 32770 (port
dependant on OS release and architecture). and it is probably this
that the attacker is scanning for to avoid filtering of port 111.

later

Steve

--
'Cold Fire, Britains most notorious hacker' Observer, July 1997
'The most recent conviton was that of [Cold Fire] whose On-line
escapades spanned from hacking into educational sites to more
sinister activities such as tapping into industrial and United
States military sites.' DC Paul Cox, SO6 Scotland Yard CCU