Re: anyone else seen an increase in sunrpc scans these days?

[Brian Taylor <drak3 () ATL MEDIAONE NET>]

OK, I just thought it was me!!!!  Exactly what you posted.  In fact, looking
at a few of my customer's logs the other day, they have kicked up about 9
days ago...  I will research if there is a new exploit out and let you know
if I find anything.  The Shellcode x86 NOPS have nearly tripled in frequency
where the RPC Portmaps have doubled or more.  Most appear from a lot of the
24.x.x.x and 63/64.x.x.x cablemodem and dsl blocks (indicating probable
script-kiddie usage and possible also indicating that this is a packaged
scan or exploit)as well as AsiaPac (mainly Korea, though).  Ports 111, 12345
and the ever popular 31337 being the ones scanned and they tend to work
ranges as opposed to sparse scans.

Any ideas?!!?!!?

Best regards,


Brian Taylor
Network Security Analyst
SecureWorks/IMSC
btaylor () secureworks net