Has anyone else had an increase of scans on port 635 in the last couple days? For me the attacks started showing up on almost an hourly basis since Monday night. Here are some log snippets from portsentry: Apr 2 20:30:40 raq1 portsentry[938]: attackalert: Connect from host: pool-151-204-101-103.ny325.east.verizon.net/151.204.101.103 to TCP port: 635 Apr 2 16:55:29 raq1 portsentry[938]: attackalert: Possible stealth scan from unknown host to TCP port: 635 (accept failed) There are several of these from "unknown host" and a few from actual resolved hosts. AFAIK, the only thing on 635 is old rpc.mountd but I wasnt sure if there was something else going on that I dont know about (theres a lot that i dont know about, so that would not be too surprising). Also, I have noticed that these seem to be targeted at three specific machines, as none of the others have been reporting any issues regarding this port (just the normal scans, pings, and connect attempts). Cheers Jeff ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 20:08:49 PST