Security Incidents mailing list archives

RE: Port 111 Traffic

From: "Michael Ward" <Mward () roseglen com>
Date: Wed, 12 Dec 2001 10:22:13 -0500

Tim,

There are several well known exploits aimed at port 111.  Take a look
and see if any of these fit your scenario.

CA-2001-05, Exploitation of snmpXdmid
IN-2001-01, Widespread Compromises via "ramen" Toolkit
IN-2000-10, Widespread Exploitation of rcp.statd and wu-ftpd
Vulnerabilities
CA-2000-17, Input Validation Problem in rpc.statd
CA-1999-16, Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind
CA-1999-12, Buffer overflow in amd
CA-1999-08, Buffer overflow in rpc.cmsd
CA-1999-05, Vulnerability in statd exposes vulnerability in automountd
CA-1998-12, Remotely Exploitable Buffer Overflow Vulnerability in mountd
CA-1998-11, Vulnerability in ToolTalk RPC service
CA-2001-11, sadmind/IIS Worm

More info can be found here.
http://www.cert.org/current/current_activity.html#ssh

-Mike

-----Original Message-----
From: Tim Brown [mailto:tim.brown () ncmail net]
Sent: Tuesday, December 11, 2001 4:21 PM
To: INCIDENTS () securityfocus com
Subject: Re: Port 111 Traffic


To clarify- the zeros in the destination address are actually there. 
 Only the first two octets of the source have been changed to nnn.nnn.

Tim Brown wrote:

This information was generated by snoop on Solaris.  Any ideas?  See 
bottom of message for a single verbose packet capture.
nnn.nnn = the not so innocent IP.

nnn.nnn.213.13 -> 0.47.0.205   TCP D=111 S=33399 Syn Seq=2559250306 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.204   TCP D=111 S=33398 Syn Seq=2559160482 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.37   TCP D=111 S=59773 Rst Seq=2178778586 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.207   TCP D=111 S=33401 Syn Seq=2559361718 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.208   TCP D=111 S=33402 Syn Seq=2559390097 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.209   TCP D=111 S=33403 Syn Seq=2559476442 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.38   TCP D=111 S=59774 Rst Seq=2178892699 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.42   TCP D=111 S=59778 Rst Seq=2179194372 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.215   TCP D=111 S=33409 Syn Seq=2559700481 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.214   TCP D=111 S=33408 Syn Seq=2559656916 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.43   TCP D=111 S=59779 Rst Seq=2179223246 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.216   TCP D=111 S=33410 Syn Seq=2559772250 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.44   TCP D=111 S=59780 Rst Seq=2179342238 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.218   TCP D=111 S=33412 Syn Seq=2559854823 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.45   TCP D=111 S=59781 Rst Seq=2179387236 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.46   TCP D=111 S=59782 Rst Seq=2179459169 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.219   TCP D=111 S=33413 Syn Seq=2559861661 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.48   TCP D=111 S=59784 Rst Seq=2179596754 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.221   TCP D=111 S=33415 Syn Seq=2559922066 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.50   TCP D=111 S=59786 Rst Seq=2179755204 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.226   TCP D=111 S=33420 Syn Seq=2560346165 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.227   TCP D=111 S=33421 Syn Seq=2560403095 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.235   TCP D=111 S=33429 Syn Seq=2561000060 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.233   TCP D=111 S=33427 Syn Seq=2560897528 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.237   TCP D=111 S=33431 Syn Seq=2561153509 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.238   TCP D=111 S=33432 Syn Seq=2561195283 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.240   TCP D=111 S=33434 Syn Seq=2561332283 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.242   TCP D=111 S=33436 Syn Seq=2561468508 
Len=0 Win=8760
nnn.nnn.213.32 -> 0.123.0.55   TCP D=111 S=56202 Rst Seq=240026718 
Len=0 Win=8760
nnn.nnn.213.32 -> 0.123.0.57   TCP D=111 S=56204 Rst Seq=240210073 
Len=0 Win=8760
nnn.nnn.213.32 -> 0.123.0.58   TCP D=111 S=56205 Rst Seq=240300794 
Len=0 Win=8760
nnn.nnn.213.32 -> 0.123.0.59   TCP D=111 S=56206 Rst Seq=240409147 
Len=0 Win=8760
nnn.nnn.213.32 -> 0.123.0.60   TCP D=111 S=56207 Rst Seq=240429542 
Len=0 Win=8760
nnn.nnn.213.32 -> 0.123.0.61   TCP D=111 S=56208 Rst Seq=240433968 
Len=0 Win=8760
nnn.nnn.213.32 -> 0.123.0.62   TCP D=111 S=56209 Rst Seq=240477791 
Len=0 Win=8760
nnn.nnn.213.32 -> 0.123.0.65   TCP D=111 S=56212 Rst Seq=240763588 
Len=0 Win=8760
nnn.nnn.213.32 -> 0.123.0.72   TCP D=111 S=56219 Rst Seq=241169371 
Len=0 Win=8760

Verbose Output of one packet:

ETHER:  ----- Ether Header -----
ETHER: ETHER:  Packet 6 arrived at 14:48:18.30
ETHER:  Packet size = 60 bytes
ETHER:  Destination = 0:10:7:dc:38:60,
ETHER:  Source      = 0:e0:3n:nn:nn:nn,
ETHER:  Ethertype = 0800 (IP)
ETHER: IP:   ----- IP Header -----
IP:  IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 40 bytes
IP:   Identification = 7932
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 251 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = f5c2
IP:   Source address = nnn.nnn.213.11, nnn.nnn.213.11
IP:   Destination address = 0.57.0.36, 0.57.0.36
IP:   No options
IP:  TCP:  ----- TCP Header -----
TCP: TCP:  Source port = 33596
TCP:  Destination port = 111
TCP:  Sequence number = 3073870737
TCP:  Acknowledgement number = 0
TCP:  Data offset = 20 bytes
TCP:  Flags = 0x04
TCP:        ..0. .... = No urgent pointer
TCP:        ...0 .... = No acknowledgement
TCP:        .... 0... = No push
TCP:        .... .1.. = Reset
TCP:        .... ..0. = No Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 8760
TCP:  Checksum = 0x5c23
TCP:  Urgent pointer = 0
TCP:  No options
TCP:



-- 

Tim





------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Port 111 Traffic Tim Brown (Dec 11)
- Re: Port 111 Traffic Tim Brown (Dec 11)
- <Possible follow-ups>
- RE: Port 111 Traffic Michael Ward (Dec 12)