Security Incidents mailing list archives

Increase of attempts on port 635 in last couple days

From: Jeff Lane <crash () pinehurst net>
Date: Wed, 02 Apr 2003 10:45:14 -0500

Has anyone else had an increase of scans on port 635 in the lastcouple days? For me the attacks started showing up on almost an hourlybasis since Monday night. Here are some log snippets from portsentry:


Apr  2 20:30:40 raq1 portsentry[938]: attackalert: Connect from host: 
pool-151-204-101-103.ny325.east.verizon.net/151.204.101.103 to TCP port: 635



Apr  2 16:55:29 raq1 portsentry[938]: attackalert: Possible stealth scan from unknown host to TCP port: 635 (accept 
failed)

There are several of these from "unknown host" and a few from actual resolved hosts.  AFAIK, the only thing on 635 is 
old rpc.mountd but I wasnt sure if there was something else going on that I dont know about (theres a lot that i dont know about, 
so that would not be too surprising).

Also, I have noticed that these seem to be targeted at three specific machines, as none of the others have been 
reporting any issues regarding this port (just the normal scans, pings, and connect attempts).

Cheers
Jeff



----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

Current thread:

Why alerts on ports 1025-1029, 1036 Tomas Carlsson (Mar 31)
- RE: Why alerts on ports 1025-1029, 1036 Erik Boles (Mar 31)
- Re: [CERT] Why alerts on ports 1025-1029, 1036 ePAc (Mar 31)
- <Possible follow-ups>
- RE: Why alerts on ports 1025-1029, 1036 Matt Marcos (Apr 01)
  - Increase of attempts on port 635 in last couple days Jeff Lane (Apr 02)
- RE: Why alerts on ports 1025-1029, 1036 Stuart Wallace (Apr 02)
- RE: Why alerts on ports 1025-1029, 1036 Leo, Joel (Apr 02)