Re: Increase in Sun RPC Scans

From: Randy Johnson (rjohnson2at_private)
Date: Thu Apr 19 2001 - 10:10:58 PDT

Next message: Joe Hamelin: "Re: Increase in Sun RPC Scans"

Previous message: Jeff Kell: "Re: Strange sendmail IDS triggers"
In reply to: Arthur Donkers: "Re: Increase in Sun RPC Scans"
Next in thread: Joe Hamelin: "Re: Increase in Sun RPC Scans"
Next in thread: Jason Boyer: "Re: Increase in Sun RPC Scans"
Reply: Joe Hamelin: "Re: Increase in Sun RPC Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've also seen an increase in SunRPC (port 111) scans/attempted
connections. Over the last 3 weeks, I've been getting 2 or 3 a day.
Most of them originate from Korea.

I was also hit by a couple of IPs attempting to compromise my machine
via LPD (port 515.)

Randy Johnson

> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTSat_private]On
> Behalf Of Arthur Donkers
> Sent: Thursday, April 19, 2001 11:39 AM
> To: INCIDENTSat_private
> Subject: Re: Increase in Sun RPC Scans
>
>
> Hi,
>
> Same here. Me thinks it has to do with the different Linux based
> worms running 'round on the Internet. They scan for vulnerabilities
> in BIND (53), LPD (515) en statd which is serviced by the
> portmapper (111).
>
> Are they just regular syn/stealth scans or do they contain a
> payload as well ?
>
> The higher ports are most probably backdoor related ports.
>
> Grtz,
>
> Arthur
>
> On Thu, Apr 19, 2001 at 12:58:55AM -0400, Chris Arnold wrote:
> > A severe increase as well as a major increase in ports in the 32k
> > range.
> >
> > Chris
> >
> > -----Original Message-----
> > From: Jason Lewis
> > To: INCIDENTSat_private
> > Sent: 4/18/01 11:28 PM
> > Subject: Increase in Sun RPC Scans
> >
> > Anyone else seeing an increase in SunRPC (port 111) scans?
> > Several networks
> > I manage are getting scanned from lots of different hosts.
> >
> > The scans are random IP's on the same subnet, I guess to evade
> > IDS?
> >
> > Jason Lewis
> > http://www.rivalpath.com
> > "All you can do is manage the risks. There is no security."
> --
> /* Disclaimer :   you hire my skills, not my opinions, those are
> mine !    */
> /* email : arthurat_private    Security    'Me ? I'm not me ! I'm
> just a   */
> /* phone : (+31) 50 549 2701   is not a     computer simulation
> of me'     */
> /* URL http://www.reseau.nl   dirty word      Red Dwarf, First
> Episode     */

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOt8cIBq6iE5l3OxaEQLWSwCfQ3bpOa5KCnkeP/XXOykkAGSZPHMAn1/g
NyGEcSklVIbUISYcyx2VK+9m
=hExO
-----END PGP SIGNATURE-----

Next message: Joe Hamelin: "Re: Increase in Sun RPC Scans"
Previous message: Jeff Kell: "Re: Strange sendmail IDS triggers"
In reply to: Arthur Donkers: "Re: Increase in Sun RPC Scans"
Next in thread: Joe Hamelin: "Re: Increase in Sun RPC Scans"
Next in thread: Jason Boyer: "Re: Increase in Sun RPC Scans"
Reply: Joe Hamelin: "Re: Increase in Sun RPC Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:48:43 PDT