Re: anyone else seen an increase in sunrpc scans these days?

[Steve Buttgereit <steve () BUTTGEREIT NET>]

I'm beginning see a lot, too.  All different IPs though.  I'm also seeing a
lot of scans in my snort log that follow this pattern: FIN scan to port
111 --> RPC Info. Query --> RPC portmap-request status --> Shellcode x86
NOPS.  It all started about a week ago.

SCB
 -----Original Message-----
From:   Jason Lewis [mailto:jlewis () JASONLEWIS NET]
Sent:   Sunday, January 14, 2001 10:20 PM
To:     INCIDENTS () SECURITYFOCUS COM
Subject:        Re: anyone else seen an increase in sunrpc scans these days?

I couldn't find any of those addresses, but I have similar scans in my logs.

63.91.6.36
64.32.209.213
64.21.114.2
66.22.62.2
216.98.160.251

Last 24 hours....all the above IP's are looking for Sun RPC.

jas
http://www.rivalpath.com

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Alex Popa
Sent: Sunday, January 14, 2001 7:26 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: anyone else seen an increase in sunrpc scans these days?


In the last five days, the port scans to my entire class C have dramatically
increased, from one per two days on average, to four yesterday and six
today.

Is there a new exploit around, or is there some sort of new worm out there?

I might just be paranoid, but here are the addreses that have been looking
for port 111 in the last 26 hours:

24.26.121.156
24.168.66.119
64.31.226.156
142.169.227.102
193.226.15.15
211.218.144.11

------------+------------------------------------------
Alex Popa,  |  "Artificial Intelligence is
razor () ldc ro|         no match for Natural Stupidity"
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."