Re: Help! RPC Port 111

[Erek Adams <erek () theadamsfamily net>]

On Thu, 27 Sep 2001, T.Ferris wrote:

> Ok,
>
> I am running Snort IDS on Mandrake 8.0.  I just received this alert below.
>
>
> [**] [1:583:1] RPC portmap request rstatd [**]
> [Classification: Attempted Information Leak] [Priority: 3]
> 09/27-05:51:47.239050 216.56.21.X873 -> 192.168.1.100:111
> UDP TTL:47 TOS:0x0 ID:44461 IpLen:20 DgmLen:84
> Len: 64
> [Xref => http://www.whitehats.com/info/IDS10]
>
> [**] [1:1282:1] RPC EXPLOIT statdx [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
> 09/27-05:51:47.414408 216.56.21.X:874 -> 192.168.1.100:1024
> UDP TTL:47 TOS:0x0 ID:44578 IpLen:20 DgmLen:1104
> Len: 1084
> [Xref => http://www.whitehats.com/info/IDS442]
>
> I dont even know if he got root on my box or not.  How can I close RPC Port
> 111?

[Note, I don't know linux, so this is a bit vauge...]

Turn off all RPC based services in /etc/inetd.conf.  Turn off any startup
scripts in /etc/rc?.d/ that call portmapper.  If you're not running NFS you
don't need statd or lockd.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users