Security Incidents mailing list archives
Increase of attempts on port 635 in last couple days
From: Jeff Lane <crash () pinehurst net>
Date: Wed, 02 Apr 2003 10:45:14 -0500
Has anyone else had an increase of scans on port 635 in the last couple days? For me the attacks started showing up on almost an hourly basis since Monday night. Here are some log snippets from portsentry:
Apr 2 20:30:40 raq1 portsentry[938]: attackalert: Connect from host: pool-151-204-101-103.ny325.east.verizon.net/151.204.101.103 to TCP port: 635 Apr 2 16:55:29 raq1 portsentry[938]: attackalert: Possible stealth scan from unknown host to TCP port: 635 (accept failed) There are several of these from "unknown host" and a few from actual resolved hosts. AFAIK, the only thing on 635 is old rpc.mountd but I wasnt sure if there was something else going on that I dont know about (theres a lot that i dont know about, so that would not be too surprising). Also, I have noticed that these seem to be targeted at three specific machines, as none of the others have been reporting any issues regarding this port (just the normal scans, pings, and connect attempts). Cheers Jeff ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- Why alerts on ports 1025-1029, 1036 Tomas Carlsson (Mar 31)
- RE: Why alerts on ports 1025-1029, 1036 Erik Boles (Mar 31)
- Re: [CERT] Why alerts on ports 1025-1029, 1036 ePAc (Mar 31)
- <Possible follow-ups>
- RE: Why alerts on ports 1025-1029, 1036 Matt Marcos (Apr 01)
- Increase of attempts on port 635 in last couple days Jeff Lane (Apr 02)
- RE: Why alerts on ports 1025-1029, 1036 Stuart Wallace (Apr 02)
- RE: Why alerts on ports 1025-1029, 1036 Leo, Joel (Apr 02)