Hi, > Jason Lewis (and many others) stated: > > Anyone else seeing an increase in SunRPC (port 111) scans? Several networks > I manage are getting scanned from lots of different hosts. our best practice is to block port 111. This has reduced incidents radically. And ... > From the scans that I have seen over the past 30 days (relating to Port > 111 scans) typically started with a scan of Port 111 followed by Port 530 > and then a high port in the 32k range. ... I would think that most of your observed scans are rcpinfo-type scans getting this way the vulnerable service port. So blocking 111 is equivilant to a good policy implemented in /etc/hosts.[deny&allow] with Venema's rcpbind/portmap. Port 530 is not known particurlarly known to me, but it`s one for sure a pretty often occuring RPC service on some platform. Or it's a backdoor. Haven't seen this until now. Maybe someone here of the audience can give us a clue. 32k range is where lots of RPC service listen. These could also be found by avoiding the canonical way of finding them (rpcinfo) but by blind scanning the typical 32k range. Slow scans: we had bind (port 53) & port 1008 scans occuring at very low rates for class C networks. Specially the 1008 (unusual port) scans I noticed one or two months ago. Some time later I have seen us-scanning boxes (scanning for lpd & bind) which offer a backdoor on this port. Bye, Jens Hektor
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 08:28:57 PDT