Security Incidents mailing list archives

Re: anyone else seen an increase in sunrpc scans these days?

From: Edward Mitchell <ed () XWING CENTIGRAM COM>
Date: Mon, 15 Jan 2001 07:34:05 -0800

The last 10 days have seen a total of 15 sunrpc scans/rpcinfo queries and
related exploit attempts against my network.  Oddly, snort reports the
rpc exploits as x86 versions.  I thought there was a sparc port for the
Solaris vulnerability, but maybe I'm mistaken.  Either stupid people out
there can't tell an x86 from a sparc box, or snort's rule is flawed...

The other most common attack these days is against ftp, namely wu-ftpd
2.6.1(very patched).

*sigh*

On Mon, 15 Jan 2001, Alex Popa wrote:

In the last five days, the port scans to my entire class C have dramatically
increased, from one per two days on average, to four yesterday and six today.

Is there a new exploit around, or is there some sort of new worm out there?

I might just be paranoid, but here are the addreses that have been looking
for port 111 in the last 26 hours:

24.26.121.156
24.168.66.119
64.31.226.156
142.169.227.102
193.226.15.15
211.218.144.11

------------+------------------------------------------
Alex Popa,  |  "Artificial Intelligence is
razor () ldc ro|         no match for Natural Stupidity"
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."

Current thread:

Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- Re: anyone else seen an increase in sunrpc scans these days? Mihai Moldovanu (Jan 15)
  - FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
    - Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)
    - Re: FTP and RPC based worms [was anyone else ...] Steve Clement (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? thomas lakofski (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Niels Heinen (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Edward Mitchell (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Timothy Lyons (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Alfred Huger (Jan 15)
  - Rise in rpc scans - Honeynet Project Lance Spitzner (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Ed Woodson (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? James Bryan (Jan 15)