OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Derek Kwan (dkwanKWAN.CA)
Date: Mon Jan 15 2001 - 13:54:38 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Yes I have seen alot of sunrpc scan on my cable modem too.

    Since Jan 1, 2001 I get appx 3-4 sunrpc scan daily. Here are a list of IPs
    for sunrpc scan on my server since 1 Jan 2001.

    216.128.39.125
    208.35.4.25
    216.253.248.140
    24.108.84.147
    24.70.222.168
    24.22.169.216
    24.167.61.7
    152.101.127.222
    211.172.14.13
    211.75.16.178
    160.78.31.151
    211.100.8.165
    211.5.191.200
    64.2.219.110

    Also there is a scan from 24.0.0.203 (authorized-scan1.security.home.net)
    on port 119 atleast 2-3 times daily too. Does other cable modem user have
    a similiar scan on their machine?

     \|/ _____ \|/ ***************************************************
     "'/ , . \`" This e-mail is send with 100% recyclable electrons.
     /_| \___/ |__\ ***************************************************
        \___U_/ DerekKWAN.ca

    On Sun, 14 Jan 2001, Steve Buttgereit wrote:

    > I'm beginning see a lot, too. All different IPs though. I'm also seeing a
    > lot of scans in my snort log that follow this pattern: FIN scan to port
    > 111 --> RPC Info. Query --> RPC portmap-request status --> Shellcode x86
    > NOPS. It all started about a week ago.
    >
    > SCB
    > -----Original Message-----
    > From: Jason Lewis [mailto:jlewisJASONLEWIS.NET]
    > Sent: Sunday, January 14, 2001 10:20 PM
    > To: INCIDENTSSECURITYFOCUS.COM
    > Subject: Re: anyone else seen an increase in sunrpc scans these days?
    >
    > I couldn't find any of those addresses, but I have similar scans in my logs.
    >
    > 63.91.6.36
    > 64.32.209.213
    > 64.21.114.2
    > 66.22.62.2
    > 216.98.160.251
    >
    > Last 24 hours....all the above IP's are looking for Sun RPC.
    >
    > jas
    > http://www.rivalpath.com
    >
    > -----Original Message-----
    > From: Incidents Mailing List [mailto:INCIDENTSSECURITYFOCUS.COM]On
    > Behalf Of Alex Popa
    > Sent: Sunday, January 14, 2001 7:26 PM
    > To: INCIDENTSSECURITYFOCUS.COM
    > Subject: anyone else seen an increase in sunrpc scans these days?
    >
    >
    > In the last five days, the port scans to my entire class C have dramatically
    > increased, from one per two days on average, to four yesterday and six
    > today.
    >
    > Is there a new exploit around, or is there some sort of new worm out there?
    >
    > I might just be paranoid, but here are the addreses that have been looking
    > for port 111 in the last 26 hours:
    >
    > 24.26.121.156
    > 24.168.66.119
    > 64.31.226.156
    > 142.169.227.102
    > 193.226.15.15
    > 211.218.144.11
    >
    > ------------+------------------------------------------
    > Alex Popa, | "Artificial Intelligence is
    > razorldc.ro| no match for Natural Stupidity"
    > ------------+------------------------------------------
    > "It took the computing power of three C-64s to fly to the Moon.
    > It takes a 486 to run Windows 95. Something is wrong here."
    >