Security Incidents mailing list archives

Re: Lots of rpc.statd probes lately

From: James Paterson <jpaterson () DATAMIRROR COM>
Date: Thu, 1 Mar 2001 14:18:24 -0500

-- snip

eventually all the boxes that can be exploited will be exploited and the number
of scans should begin tapering off as some of the compromised boxes are fixed.

-- snip

I would suggest quite the opposite, I am sure that the number of exploitable
boxes being added every minute by far exceeds those that are properly secured,
and the number of machines being connected to the net is not doing down. Which
is why we have to spread the word and educate people about securing their
systems, before the Internet melts through heat death caused by SK's using nmap
;).

-----Original Message-----
From: Steve Stearns [mailto:sterno () BIGBROTHER NET]
Sent: Thursday, March 01, 2001 1:10 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Lots of rpc.statd probes lately


Frank Louwers wrote:

The last 2 weeks, I've seen a HUGE increase in rpc.statd probes.
Any new exploits around?

Frank


The system I run is a relatively low profile system (linux box hooked up
to a DSL line with just my low traffic website on it).  So, my
assumption is that almost all of the rpc probes I see are from
sequential searches of IP addresses.  Since February 12th I have seen 73
unique rpc probes on my system making for an average of just over 4
probes a day (and it seems like it's been increasing lately).  Not a lot
in the grand scheme of things, but considering that this is almost all
from sequential scanning, it seems like a whole lot to me.

By contrast, a few months ago I was maybe getting 3 probes a week (and
that's all kinds of probes, not just RPC).  So I've seen at least an
order of magnitude increase (using my relatively unscientific
measurements).  I think that the big increases aren't so much attributed
to new exploits, but rather that as vulnerable boxes are exploited, they
increase the number of overall scans resulting in more exploits, wash,
rinse, repeat.  On the bright side, eventually all the boxes that can be
exploited will be exploited and the number of scans should begin
tapering off as some of the compromised boxes are fixed.

---Steve

Current thread:

Lots of rpc.statd probes lately Frank Louwers (Mar 01)
- Re: Lots of rpc.statd probes lately Steve Stearns (Mar 01)
- <Possible follow-ups>
- Re: Lots of rpc.statd probes lately James Paterson (Mar 01)
- Re: Lots of rpc.statd probes lately Justin Shore (Mar 01)
  - Re: Lots of rpc.statd probes lately Joseph Nicholas Yarbrough (Mar 02)