I have noticed an increase in RPC scanning. The vast mojority of the machines probing me appear to be default installations of Redhat Linux 6.2 on Asian Networks. I set up a honeypot to try to catch some of this traffic. Within 6 hours of going online, my honeypot had an RPC scanning worm. The worm (Whos name i do not know) lives in /dev/ida/.inet/, and installs a modified ps (among others), scans a class A for sunrpc servers, and puts the ethernet interface into promiscuous mode to sniff passwords with linsniffer. I believe the worm exploits the rpc.statd service included with rh6.2. A Quick search on google reveals this worm has been seen before, so its nothing new :) Dan. -- Dan Irwin - Systems Administrator Jackie's Wholesale Nurseries Pty Ltd Email: danat_private Phone: 07 3888 2481 Fax: 07 3888 2530 Postal: 10 Gleeson Road Burpengary Queensland 4505 Email: infoat_private Web: http://www.jackies.com.au -----Original Message----- From: Todd Suiter [mailto:toddat_private] Sent: Wednesday, 20 March 2002 10:12 AM To: incidentsat_private Cc: Todd Suiter Subject: increase in scans for RPC Folks, We've seen a dramatic increase in syn scans against tcp 111, went from a couple a week to over 11,000 in the past week. Has anyone else seen an increase like this? Is there yet another new tool out, or is this looking for one of the older 'sploits? is this rpc.cmsd? t ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 16:32:59 PST