Security Incidents mailing list archives

SGI RPC broadcast

From: "Chris Bauer" <cbauer () mco edu>
Date: Thu, 07 Jun 2001 13:09:22 -0400

I have recently noticed an SGI machine on our network which is broadcasting UDP packets from port 1025 to port 111 at a 
pretty regular 5 second interval. I have looked online and have found a couple windows exploits that do this, and one 
article mentioned port 1025 used for SGI's mountd. I am not familiar with the neuances of SGI. I do know though that 
none of the other SGI's on the network are doing this.

Has anyone else seen this? I've included this small snippet of the snot log.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] RPC portmap request rstatd [**]
06/06-15:19:30.121285 xxx.xxx.xxx.xxx:1025 -> xxx.xxx.xxx.xxx:111
UDP TTL:60 TOS:0x0 ID:58382 IpLen:20 DgmLen:136
Len: 116
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] RPC portmap request rstatd [**]
06/06-15:19:35.211285 xxx.xxx.xxx.xxx:1025 -> xxx.xxx.xxx.xxx:111
UDP TTL:60 TOS:0x0 ID:58485 IpLen:20 DgmLen:136
Len: 116
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] RPC portmap request rstatd [**]
06/06-15:19:40.251285 xxx.xxx.xxx.xxx:1025 -> xxx.xxx.xxx.xxx:111
UDP TTL:60 TOS:0x0 ID:58519 IpLen:20 DgmLen:136
Len: 116
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Thanks in advance

-Chris

Current thread:

SGI RPC broadcast Chris Bauer (Jun 07)
- <Possible follow-ups>
- Re: SGI RPC broadcast Graham Bevan (Jun 08)