Security Incidents mailing list archives
Re: anyone else seen an increase in sunrpc scans these days?
From: Ignacio Machin <imachin () CI CL>
Date: Thu, 18 Jan 2001 09:07:19 -0600
I have also noted an increased in RPC scanning, yesterday were from: ftp.bses.tcc.edu.tw an RH 6.0 on a i586 kernel 2.2.5 medicina20.bio.um.es an RH 6.2 (Zoot) Kernel 2.2.14-5.0 on an i586 205.218.251.7 Red Hat 6.2 (Zoot) Kernel 2.2.14-5.0smp on a 2-processor i686 216.82.71.6 Apache/1.3.12 (Unix) (Red Hat/Linux) PHP/3.0.15 mod_perl/1.21 on Linux (obtained with netcraft ) 211.62.38.22 RH 6.2 (Zoot) Kernel 2.2.14-5.0 on an i686 So after this I notices something: ALL of then are RH boxes all of then seems to have weak protection or none cause I could connect to ports 23, 21 25 in almost all of them ( except 216.82.71.6 ) Going now to check if there is some bug on those systems regarding the RPC, also to note is that the above reports are from a NT box so the "thing" has not OS detection system. ----- Original Message ----- From: "Nathan W. Lindstrom" <nlindstrom () ENSIM COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, January 16, 2001 2:25 PM Subject: Re: anyone else seen an increase in sunrpc scans these days?
I strongly recommend downloading, building and running PortSentry from http://www.psionic.com/abacus/portsentry/ I have run it with great success on FreeBSD, Linux and Solaris. --Nathan Digital Overdrive wrote:[requoted] Cristian Dumitrescu wrote:On Mon, 15 Jan 2001, Alex Popa wrote:In the last five days, the port scans to my entire class C have
dramatically
increased, from one per two days on average, to four yesterday and
six today.
Is there a new exploit around, or is there some sort of new worm out
there?
I might just be paranoid, but here are the addreses that have been
looking
for port 111 in the last 26 hours: 24.26.121.156 24.168.66.119 64.31.226.156 142.169.227.102 193.226.15.15 211.218.144.11Hey I've been experiencing the same kind of scans in the last 2 weeks,
with
increased density in the last days, from these ip addreses: 211.120.63.136 213.154.132.122 210.205.6.215 24.114.48.24 62.83.125.82 193.231.199.4 193.40.223.66 65.3.3.83 193.230.227.234Just one question: How do you detect these scans ? I can't find anything in my logs, but I don't have programs like portsentry running. What can you (all) advice me ? Kind regards, Jan -- .~. Dutch Security Information Network : http://www.dsinet.org /V\ news:alt.hack.nl FAQ : http://www.dsinet.org/hackfaq /( )\ digiover () dsinet org / digiover () cotse com ^^-^^ "Microsoft: We make virii work!"-- [Your mouse moved. Windows NT will be restarted for your changes to take
effect.]
Current thread:
- Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- Re: anyone else seen an increase in sunrpc scans these days? Steve Buttgereit (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Derek Kwan (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Brian Taylor (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Matthew Hallacy (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Devdas Bhagat (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 15)
- sunrpc / wu-ftpd worm ? Mihai Moldovanu (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Digital Overdrive (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Nathan W. Lindstrom (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- Re: anyone else seen an increase in sunrpc scans these days? Steve Buttgereit (Jan 15)
- FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
- Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)