RE: increase in scans for RPC

[Dan Irwin <dan () jackies com au>]

I have noticed an increase in RPC scanning.

The vast mojority of the machines probing me appear to be default
installations of Redhat Linux 6.2 on Asian Networks.

I set up a honeypot to try to catch some of this traffic. Within 6 hours of
going online, my honeypot had an RPC scanning worm. The worm (Whos name i do
not know) lives in /dev/ida/.inet/, and installs a modified ps (among
others), scans a class A for sunrpc servers, and puts the ethernet interface
into promiscuous mode to sniff passwords with linsniffer. I believe the worm
exploits the rpc.statd service included with rh6.2.

A Quick search on google reveals this worm has been seen before, so its
nothing new :)

Dan.





--
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: dan () jackies com au
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: info () jackies com au
Web: http://www.jackies.com.au


-----Original Message-----
From: Todd Suiter [mailto:todd () s4r com]
Sent: Wednesday, 20 March 2002 10:12 AM
To: incidents () securityfocus com
Cc: Todd Suiter
Subject: increase in scans for RPC


Folks,

        We've seen a dramatic increase in syn scans against tcp 111, went
from a couple a week to over 11,000 in the past week. Has anyone else
seen an increase like this? Is there yet another new tool out, or is
this looking for one of the older 'sploits? is this rpc.cmsd?

t




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com