Security Incidents mailing list archives

Re: just how much sunrpc scanning is normal?

From: nathan () MMIND NET (Nathan Nichols)
Date: Sat, 26 Feb 2000 01:03:31 -0600


I used to get quite a bit of portmap connection attempt activity as well.
The machine in question is a web mirror server, and until I dropped our
Linuxberg mirror, it got a lot of strange activity.  After I dropped that
site, connection attempts and port scans went way down.

I recognized one of the hosts in the log section you posted.
(turbo.rdb.co.jp, which is 210.162.153.22).

Jan  1 18:20:35 subzero portmap[11616]: connect from 210.162.153.22 to
dump(): request from unauthorized host
Jan  1 18:20:36 subzero portmap[11624]: connect from 210.162.153.22 to
dump(): request from unauthorized host
Jan  1 18:20:37 subzero portmap[11632]: connect from 210.162.153.22 to
dump(): request from unauthorized host
Jan  1 18:20:37 subzero portmap[11640]: connect from 210.162.153.22 to
dump(): request from unauthorized host
Jan  1 18:20:38 subzero portmap[11648]: connect from 210.162.153.22 to
dump(): request from unauthorized host
Jan  1 18:20:38 subzero portmap[11656]: connect from 210.162.153.22 to
dump(): request from unauthorized host
Jan  1 18:20:41 subzero portmap[11665]: connect from 210.162.153.22 to
dump(): request from unauthorized host

-----
Nathan Nichols
Unix Systems Administrator
MasterMind Internet Services

----- Original Message -----
From: "Jon Burdge" <jburdge () AVENTAIL COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, February 24, 2000 6:07 PM
Subject: just how much sunrpc scanning is normal?

I've been seeing a lot of scanning on my machines for open sunrpc ports.

always try to notify the admin of the machine that scanned me, as it's

been

my experience it's usually just a staging point for some script kitty.

The

reason I'm writing this is I'd like to know..is this amount of activity
normal?  Here's the logs from one of my machines.  This isn't a high

profile

site or anything.

Dec 16 17:22:28 sol tcplogd[458]: sunrpc connection from
@mangle.atsi.net:758
Dec 25 20:07:33 sol tcplogd[12185]: sunrpc connection from
38.193.155.121:16541
Jan  1 17:49:49 sol tcplogd[3386]: sunrpc connection from
turbo.rdb.co.jp:2666
Jan  4 12:34:02 sol tcplogd[7061]: sunrpc connection from

@210.107.65.65:955

Jan 27 08:56:39 sol tcplogd[13530]: sunrpc connection from
cx674799-a.irvn1.occa.home.com:2488
Feb  6 14:02:02 sol tcplogd[2262]: sunrpc connection from
@211.40.176.241:871
Feb  8 20:49:27 sol tcplogd[4843]: sunrpc connection from

@209.24.82.10:753

Feb 13 03:08:21 sol tcplogd[9229]: sunrpc connection from
ms3.riverview.net:852
Feb 16 09:55:00 sol tcplogd[1034]: sunrpc connection from
@dns.sumitomo-fh.co.jp:31391
Feb 20 23:02:55 sol tcplogd[10300]: sunrpc connection from
@www.4quest.com:884

Is it just I never realized how common this scanning was?  Is this a

feature

of some automated scanning/exploitation script out there?

jlb.

Current thread:

rooted with lots of files in /dev/sdc0/.nfs01 Jeff Macdonald (Feb 23)
- Slow scan on port 109 (pop2/kpop) Keith Owens (Feb 24)
- just how much sunrpc scanning is normal? Jon Burdge (Feb 24)
  - Re: just how much sunrpc scanning is normal? Missouri FreeNet Administration (Feb 25)
  - Re: just how much sunrpc scanning is normal? Jon Lewis (Feb 25)
  - Re: just how much sunrpc scanning is normal? Nathan Nichols (Feb 25)
  - Re: just how much sunrpc scanning is normal? Chris Brenton (Feb 26)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Ken Lyon (Feb 24)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Marianovich Felix (Feb 25)