[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Port 111 Attack

Subject: Re: [cobalt-users] Port 111 Attack
From: flash22@xxxxxxx
Date: Sat Jan 12 18:40:01 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Sat, 12 Jan 2002, Paul Jacobs wrote:

> Port 111 TCP/UDP is used by SUN OS'ES for remote access

Port 111 is part of RPC or Remote Procedure Call protocol, It has nothing
specificlly to do with Sun OS's per say, tho as it happens the underlying
protocol was in fact invented by Sun....

The protocol is used for many services including NFS , Network File
Sharing, which any unix capable machine can do, and even non unix machines
occasionally can do.

Port 111 is the interface to all of these services, and the reason people
seem to like scanning this port is due to a vulnerability in a version of
one of the services....Oddly, Sun's are not vulnerable to this one ;P

> At 02:35 PM 1/8/2002, you wrote:
> >is port 111 just  "a" port or does that port have something to it.
> >I see alot of port 111 attacks.

As an aside here, these are NOT 'attacks' , they are connections, they may
in fact have been perfectly harmless ...They are only attacks of someone
in fact tried to compromise the server ...

> >----- Original Message -----
> >
> > > I finally got around to installing PortSentry last week and because of
> > > PortSentry
> > > being installed on our RQ4 the Port 111 Attack was caught and taken
> >careof.

It was not 'taken care of' because it was not an attack, and chances are,
the machine was not even listening on that port and wouldn't have done
anything whatsoever in response to the connection to that port, in fact,
the fact you were able to install portsentry without getting errors about
port conficts tells me there was nothing listening, so in fact all you
accomplished was you got an email telling you someone connected to port
111...

There is perhaps some small value in knowing that there are siilly
machines around that still have the stupid worm doing port 111 scanning,
but it tells you nothing about your machine, and would NOT have saved you
if your machine had had old vulnerable software installed ;)

> > > Jan  7 22:37:53 admin portsentry[24275]: attackalert: Host 208.131.42.26
> >has
> > > been blocked via wrappers with string: "ALL: 208.131.42.26"

You realize that,. not , this poor machine can never connect to your
server, it can't send you email, the user , even after he fixes his
machine, still can't look at any of your web pages, you have denied him
all connectivity, just because he connected to a weird port on your server
once....

> > > Installing SSH2, IPChains, Portsentry, Logcheck, Tripwire, Chkrootkit,
> > > Lionfind, Whois, lcap

ssh is good, ipchains is good if you don't shoot off  both feet and a hole
in the bottom of the boat with it. logcheck is good if you are willing to
learn what the log messages mean, useless if you are too lazy. Tripwire is
good, if somewhat of a project to install, again, if you don't configure
it properly, it will shoot you. chkrootkit is pointless to install
*before* being rooted ;P

lionfind is obsolete, chkrootkit includes it as of the current version

> > > More info on Port 111 (rpc.statd)
> > >
> > > http://www1.dshield.org/ports/port111.html

Did anyone even bother to READ that link?

gsh

Follow-Ups:
- [cobalt-users] Dumb Memory Question
  - From: William Moore

References:
- Re: [cobalt-users] Port 111 Attack
  - From: Paul Jacobs

Prev by Date: Re: [cobalt-users] ipchains.......
Next by Date: [cobalt-users] Dumb Memory Question ( My Memory Not Servers )
Previous by thread: Re: [cobalt-users] Port 111 Attack
Next by thread: [cobalt-users] Dumb Memory Question

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index