Jason Lewis (and many others) stated: Anyone else seeing an increase in SunRPC (port 111) scans? Several networks I manage are getting scanned from lots of different hosts. The scans are random IP's on the same subnet, I guess to evade IDS? ---- From the scans that I have seen over the past 30 days (relating to Port 111 scans) typically started with a scan of Port 111 followed by Port 530 and then a high port in the 32k range. The sans ranged from scanning a single class C, to an entire class B, and if others in my class A would cooperate I would be able to tell you if the entire class A was scanned. Due to the timing and ocasional delays, I would say that there have been several mass IP block scans recently. Most of them have been comming from Chinese and Korean hosts and the ocasional .TW host. The scans have related specifically to Sun RPC, however several automated exploits have also been tested. Ranging in skillset from typos in code relating to the failure of the exploit, to quick and clean, to not prescanning. It does not seem that those who are conducting the mass IP block scans really care about IDS systems. As previously stated, most of the scans are not host specific and cover a very large number of IP's scanned in a very short period of time - I consider an entire class B in less than eight hours a short period of time. Free, encrypted, secure Web-based email at www.hushmail.com IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages. Get your FREE, totally secure email address at http://www.hushmail.com.
This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 09:02:52 PDT