Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: anyone else seen an increase in sunrpc scans these days?

From: Ignacio Machin <imachin () CI CL>
Date: Thu, 18 Jan 2001 09:07:19 -0600
I have also noted an increased in RPC scanning, yesterday were from:
ftp.bses.tcc.edu.tw  an RH 6.0 on a i586 kernel 2.2.5
medicina20.bio.um.es an RH 6.2 (Zoot) Kernel 2.2.14-5.0 on an i586
205.218.251.7 Red Hat  6.2 (Zoot) Kernel 2.2.14-5.0smp on a 2-processor i686
216.82.71.6  Apache/1.3.12 (Unix) (Red Hat/Linux) PHP/3.0.15 mod_perl/1.21
on Linux (obtained with netcraft )
 211.62.38.22 RH 6.2 (Zoot) Kernel 2.2.14-5.0 on an i686

So after this I notices something:

ALL of then are RH boxes all of then seems to have weak protection or none
cause I could connect to ports 23, 21 25 in almost all of them ( except
216.82.71.6  )

Going now to check if there is some bug on those systems regarding the RPC,
also to note is that the above reports are from a NT box so the "thing" has
not OS detection system.





----- Original Message -----
From: "Nathan W. Lindstrom" <nlindstrom () ENSIM COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, January 16, 2001 2:25 PM
Subject: Re: anyone else seen an increase in sunrpc scans these days?



I strongly recommend downloading, building and running PortSentry from
http://www.psionic.com/abacus/portsentry/

I have run it with great success on FreeBSD, Linux and Solaris.

--Nathan



Digital Overdrive wrote:


[requoted]

Cristian Dumitrescu wrote:

On Mon, 15 Jan 2001, Alex Popa wrote:


In the last five days, the port scans to my entire class C have

dramatically

increased, from one per two days on average, to four yesterday and

six today.


Is there a new exploit around, or is there some sort of new worm out

there?


I might just be paranoid, but here are the addreses that have been

looking

for port 111 in the last 26 hours:

24.26.121.156
24.168.66.119
64.31.226.156
142.169.227.102
193.226.15.15
211.218.144.11


Hey
I've been experiencing the same kind of scans in the last 2 weeks,

with

increased density in the last days, from these ip addreses:

211.120.63.136
213.154.132.122
210.205.6.215
24.114.48.24
62.83.125.82
193.231.199.4
193.40.223.66
65.3.3.83
193.230.227.234


Just one question: How do you detect these scans ?
I can't find anything in my logs, but I don't have programs like
portsentry running. What can you (all) advice me ?

Kind regards,

Jan

--
 .~.   Dutch Security Information Network : http://www.dsinet.org
 /V\   news:alt.hack.nl FAQ : http://www.dsinet.org/hackfaq
/( )\  digiover () dsinet org / digiover () cotse com
^^-^^                      "Microsoft: We make virii work!"


--


[Your mouse moved. Windows NT will be restarted for your changes to take

effect.]
Previous By Date Next
Previous By Thread Next

Current thread: