Re: Increase in RPC Port scans (portmap probes) (fwd)

From: Alfred Huger (ahat_private)
Date: Thu Apr 19 2001 - 09:22:04 PDT

  • Next message: Joseph Nicholas Yarbrough: "Re: Increase in Sun RPC Scans"

    VP Engineering
    SecurityFocus.com
    "Vae Victis"
    
    ---------- Forwarded message ----------
    Date: Thu, 19 Apr 2001 09:32:39 -0500 (CDT)
    From: Lance Spitzner <lanceat_private>
    To: Alfred Huger <ahat_private>
    Subject: Re: Increase in RPC Port scans (portmap probes)
    
    On Wed, 18 Apr 2001, Alfred Huger wrote:
    
    > I too am seeing a huge leap in the amount of portmap probes I am seeing at
    > home on a cable network.  In the 4 hours I have seen 8 probes to 111. From
    > what I can see just from my own data here is that they are all Linux and
    > are all running every service under the sun.
    >
    > It could be someone out their gaining more traction with one of the Linux
    > worms we have all seen lately or it could be a new variant although I
    > doubt it's payload contains a new exploit (for a formerly unknown vuln).
    >
    > 5 of the eight hosts were in Korea, everyone has been notified.
    
    Heh Heh, Koreans are getting the bad rap.  Almost everytime one of
    our Honeynet systems gets whacked from a Korean site, its actually
    a Eastern European blackhat.  For example, our last Linux honeypot
    that was hit came from an Elementary School based in Korea, however
    they setup an IRC bot and were talking in Romanian.  We have also
    seen the same for Croation and Serbian channels.
    
    lance
    



    This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 09:26:47 PDT