Re: Sun RPC Scans, Port 111/530/32k, slow scans

From: Philipp Stucke (philipp.stucke@T-ONLINE.DE)
Date: Wed Apr 25 2001 - 08:39:44 PDT

Next message: Joe Matusiewicz: "Re: TCP/1008 port scans"

Previous message: Martin Markgraf: "Re: scan for 109, new worm-variant or simple scan?"
In reply to: Jens Hektor: "Re: Sun RPC Scans, Port 111/530/32k, slow scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

>Port 530 is not known particurlarly known  to me,
>but it`s one for sure a
>pretty often occuring RPC service on some
>platform. Or it's a backdoor.
>Haven't seen this until now.
>Maybe someone here of the audience can give us a clue.

This is the port created by a snmpXdmid exploit for Solaris it if was
a successfull attack, so I assume they are just scanning if someone
already exploitet this hole but not returned yet.

See the message from Ryan Russel "Carko/snmpXdmid Analysis v1.0"
in this list for an analysis of the exploit.

Regards, Philipp

Next message: Joe Matusiewicz: "Re: TCP/1008 port scans"
Previous message: Martin Markgraf: "Re: scan for 109, new worm-variant or simple scan?"
In reply to: Jens Hektor: "Re: Sun RPC Scans, Port 111/530/32k, slow scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 08:18:56 PDT