Security Incidents mailing list archives
Re: I was scaned
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Sat, 22 Jan 2000 20:07:32 -0800
Our (Network ICE) customers are seeing tons of these RPC getports on the standard exploitable programs that are already known. The basic rule of thumb is: * everyone is getting UDP getport/dump requests on port 111 on a regular basis. * if you install a Sun machine (the most popular highend webserver) with RPC services exposed to the Internet, it will get hacked within a month because of this. Your log does show something new, however. The attacker is putting the source port as 53 in order to pentrate firewalls. Many stateless firewalls allow any incoming UDP packet with a source port of 53 on the assumption that it is a DNS response, but hackers can exploit this to send any data through the firewall. We put this in the first version of our BlackICE intrusion detection system, but we haven't seen this trigger often. Maybe hackers are wising up to this technique. Rob. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of C. Sent: Thursday, January 20, 2000 11:33 PM To: INCIDENTS () securityfocus com Subject: I was scaned This is from last night. Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.1:111 L=40 S=0x00 I=62128 F=0x0000 T=238 Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.2:111 L=40 S=0x00 I=62128 F=0x0000 T=238 Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.3:111 L=40 S=0x00 I=62128 F=0x0000 T=238 Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.4:111 L=40 S=0x00 I=62128 F=0x0000 T=238 Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.5:111 L=40 S=0x00 I=62128 F=0x0000 T=238 Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.6:111 L=40 S=0x00 I=62128 F=0x0000 T=238 Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.7:111 L=40 S=0x00 I=62128 F=0x0000 T=238 Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.8:111 L=40 S=0x00 I=62128 F=0x0000 T=238 Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.9:111 L=40 S=0x00 I=62128 F=0x0000 T=238 Jan 20 22:29:55 main kernel: Packet log: scalain REJECT eth0 PROTO=6 211.36.16.2:53 x.x.x.10:111 L=40 S=0x00 I=62128 F=0x0000 T=238 .... Any idea what is it? New sunrpc xploit in the wild?
Current thread:
- Re: Large quantity of traffic from amazon.com - source_port 3000 Chris (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Joseph Geyer (Jan 17)
- <Possible follow-ups>
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 15)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Dominique Brezinski (Jan 18)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Robert Graham (Jan 19)
- Socks port 1080 Heman Leopando (Jan 20)
- Re: Socks port 1080 Russell Fulton (Jan 20)
- I was scaned C. (Jan 20)
- Re: I was scaned Robert Graham (Jan 22)
- Re: I was scaned Jose Nazario (Jan 23)
- Re: I was scaned Gene Harris (Jan 23)
- Re: I was scaned Keith Owens (Jan 24)
- Got scaned again C. (Jan 24)
- ? C. (Jan 24)
- Re: ? Mike Tancsa (Jan 24)
- Re: ? Brock Sides (Jan 24)
- Re: unapproved AXFR Russell Fulton (Jan 24)
- No Idea CN (Jan 25)
- PC Anywhere client seems to probe class C of connected networks Troy Ablan (Jan 25)
- Re: Large quantity of traffic from amazon.com - source_port 3000 Andrew Steingruebl (Jan 18)