Re: Sun RPC Scans, Port 111/530/32k

From: auto222418at_private
Date: Tue Apr 24 2001 - 07:28:54 PDT

  • Next message: Michael H. Warfield: "Re: Another incident of hack attempts from a Chinese host"

    Jason Lewis (and many others) stated:
    
    Anyone else seeing an increase in SunRPC (port 111) scans?  Several networks
    I manage are getting scanned from lots of different hosts.
    
    The scans are random IP's on the same subnet, I guess to evade IDS?
    
    ----
    
    From the scans that I have seen over the past 30 days (relating to Port
    111 scans) typically started with a scan of Port 111 followed by Port 530
    and then a high port in the 32k range.
    
    The sans ranged from scanning a single class C, to an entire class B, and
    if others in my class A would cooperate I would be able to tell you if the
    entire class A was scanned.  Due to the timing and ocasional delays, I would
    say that there have been several mass IP block scans recently.  Most of
    them have been comming from Chinese and Korean hosts and the ocasional .TW
    host.  The scans have related specifically to Sun RPC, however several automated
    exploits have also been tested.  Ranging in skillset from typos in code
    relating to the failure of the exploit, to quick and clean, to not prescanning.
    
    It does not seem that those who are conducting the mass IP block scans really
    care about IDS systems.  As previously stated, most of the scans are not
    host specific and cover a very large number of IP's scanned in a very short
    period of time - I consider an entire class B in less than eight hours a
    short period of time.
    Free, encrypted, secure Web-based email at www.hushmail.com
    
    
    IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
    Get your FREE, totally secure email address at http://www.hushmail.com.
    



    This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 09:02:52 PDT