Re: just how much sunrpc scanning is normal?

[jlewis () LEWIS ORG (Jon Lewis)]

On Thu, 24 Feb 2000, Jon Burdge wrote:

> Dec 16 17:22:28 sol tcplogd[458]: sunrpc connection from
> @mangle.atsi.net:758

$ telnet mangle.atsi.net 79
Trying 204.57.111.227...
Connected to mangle.atsi.net.
Escape character is '^]'.
own
Login: own                              Name:
Directory: /                            Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Connection closed by foreign host.

That's a very bad sign.

> Feb  8 20:49:27 sol tcplogd[4843]: sunrpc connection from @209.24.82.10:753
> Feb 13 03:08:21 sol tcplogd[9229]: sunrpc connection from
> ms3.riverview.net:852
> Feb 20 23:02:55 sol tcplogd[10300]: sunrpc connection from
> @www.4quest.com:884

Generally any scans that come from low ports are either rooted systems or
a hacker/scanner's system dialed into the net.  That one above with the
own account is almost certainly hacked.  The fact that it scanned you in
December and still has the own account doesn't say much for them.

> Is it just I never realized how common this scanning was?  Is this a feature
> of some automated scanning/exploitation script out there?

The common MO seems to be:

1) hack a box
2) install automated scanning tools
3) come back later, see what it found hack them
4) goto 2

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
 System Administrator        |  nestea'd...whatever it takes
 Atlantic Net                |  to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________