Increase of attempts on port 635 in last couple days

From: Jeff Lane (crashat_private)
Date: Wed Apr 02 2003 - 07:45:14 PST

Next message: Benjamin Tomhave: "possible rootkit, maybe partial?"

Previous message: Nick Jacobsen: "Logon.dll? Possible root-kit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Has anyone else had an increase of scans on port 635 in the last 
couple days?  For me the attacks started showing up on almost an hourly 
basis since Monday night.  Here are some log snippets from portsentry:

Apr  2 20:30:40 raq1 portsentry[938]: attackalert: Connect from host: pool-151-204-101-103.ny325.east.verizon.net/151.204.101.103 to TCP port: 635



Apr  2 16:55:29 raq1 portsentry[938]: attackalert: Possible stealth scan from unknown host to TCP port: 635 (accept failed)

There are several of these from "unknown host" and a few from actual resolved hosts.  AFAIK, the only thing on 635 is old rpc.mountd but I wasnt sure if there was something else going on that I dont know about (theres a lot that i dont know about, so that would not be too surprising).

Also, I have noticed that these seem to be targeted at three specific machines, as none of the others have been reporting any issues regarding this port (just the normal scans, pings, and connect attempts).

Cheers
Jeff



----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

Next message: Benjamin Tomhave: "possible rootkit, maybe partial?"
Previous message: Nick Jacobsen: "Logon.dll? Possible root-kit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 20:08:49 PST