Security Incidents mailing list archives

Re: I was scaned

From: OFriedrichs () SECURITY-FOCUS COM (Oliver Friedrichs)
Date: Fri, 21 Jan 2000 15:21:21 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0
PROTO=6 211.36.16.2:53 x.x.x.10:111 L=40 S=0x00
I=62128 F=0x0000 T=238

....
Any idea what is it? New sunrpc xploit in the wild?


They're looking for any hosts have have a reachable portmapper.  From
there they can query all available RPC services and look for
vulnerabilities in these.  Since virtually any RPC service ever
written has had a security vulnerability in it, this sounds accurate.
 Make sure you are not only blocking port 111, but also privileged
TCP/UDP ports, and TCP/UDP ports in the 32000-33000 port range, since
Solaris has many RPC services listening on ports in those ranges by
default.  The portmapper isn't required to access an RPC service,
since you can find services simply by port scanning, and iterating
through known service numbers.

- - Oliver
securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOIjoysm4FXxxREdXEQLffwCgnxskA0KnlxsRXSbR5+SNwKwQbq0An3nD
hMZVDnT92eMTOW1k7ipNZ1af
=f7bh
-----END PGP SIGNATURE-----

Current thread:

Re: I was scaned Oliver Friedrichs (Jan 21)
- <Possible follow-ups>
- Re: I was scaned Larry W. Cashdollar (Jan 24)