[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Active System Attack Query
- Subject: Re: [cobalt-users] Active System Attack Query
- From: "Jonathan Michaelson" <michaelsonjd@xxxxxxxxxxx>
- Date: Tue Mar 13 08:43:15 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Same here, I get about 2-10 scans a day on port 111. I'd appreciate to
know
> why. It comes from Brazil, Argentina, France and other places
Simple use of google.com reveals that port 111 is scanned to exploit
potential RPC vulnerabilities on your server:
Here is some useful information gleaned from that simple search:
[+] BACKGROUND INFORMATION ON PORT 111 (PORTMAP)
[+]
[+] A scan for portmappers (port 111 TCP/UDP) is most likely done in
order
[+] to exploit one or several of the known exploits for RPC services
[+] (rpc.statd, sadmind, etc). Such exploits give the intruder root
[+] access to the compromised ("cracked") host.
[+]
[+] For the moment being, one of the most likely reasons for portmapper
[+] scanning is in preparation for exploiting rpc.statd on Linux boxes.
See:
[+]
[+] http://www.cert.org/advisories/CA-2000-17.html
[+]
[+] If a host on your network is used to scan for portmappers , it most
[+] likely means that the host is compromised ("cracked") by somebody, or
[+] that a local user is stupid enough to run a vulnerability scanner on
[+] his own host. In either case, you should investigate.
So we're basically talking real hacking attempts to use recent exploits
found in rpc.statd and rpc.mountd to name but two.
Regards,
Jonathan Michaelson