Snort mailing list archives
Re: Help! RPC Port 111
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 27 Sep 2001 18:35:36 -0700 (PDT)
On Thu, 27 Sep 2001, T.Ferris wrote:
Ok, I am running Snort IDS on Mandrake 8.0. I just received this alert below. [**] [1:583:1] RPC portmap request rstatd [**] [Classification: Attempted Information Leak] [Priority: 3] 09/27-05:51:47.239050 216.56.21.X873 -> 192.168.1.100:111 UDP TTL:47 TOS:0x0 ID:44461 IpLen:20 DgmLen:84 Len: 64 [Xref => http://www.whitehats.com/info/IDS10] [**] [1:1282:1] RPC EXPLOIT statdx [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 09/27-05:51:47.414408 216.56.21.X:874 -> 192.168.1.100:1024 UDP TTL:47 TOS:0x0 ID:44578 IpLen:20 DgmLen:1104 Len: 1084 [Xref => http://www.whitehats.com/info/IDS442] I dont even know if he got root on my box or not. How can I close RPC Port 111?
[Note, I don't know linux, so this is a bit vauge...] Turn off all RPC based services in /etc/inetd.conf. Turn off any startup scripts in /etc/rc?.d/ that call portmapper. If you're not running NFS you don't need statd or lockd. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help! RPC Port 111 T.Ferris (Sep 27)
- Re: Help! RPC Port 111 Erek Adams (Sep 27)