|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Ignacio Machin (imachin
CI.CL)Date: Thu Jan 18 2001 - 09:07:19 CST
I have also noted an increased in RPC scanning, yesterday were from:
ftp.bses.tcc.edu.tw an RH 6.0 on a i586 kernel 2.2.5
medicina20.bio.um.es an RH 6.2 (Zoot) Kernel 2.2.14-5.0 on an i586
205.218.251.7 Red Hat 6.2 (Zoot) Kernel 2.2.14-5.0smp on a 2-processor i686
216.82.71.6 Apache/1.3.12 (Unix) (Red Hat/Linux) PHP/3.0.15 mod_perl/1.21
on Linux (obtained with netcraft )
211.62.38.22 RH 6.2 (Zoot) Kernel 2.2.14-5.0 on an i686
So after this I notices something:
ALL of then are RH boxes all of then seems to have weak protection or none
cause I could connect to ports 23, 21 25 in almost all of them ( except
216.82.71.6 )
Going now to check if there is some bug on those systems regarding the RPC,
also to note is that the above reports are from a NT box so the "thing" has
not OS detection system.
----- Original Message -----
From: "Nathan W. Lindstrom" <nlindstromENSIM.COM>
To: <INCIDENTSSECURITYFOCUS.COM>
Sent: Tuesday, January 16, 2001 2:25 PM
Subject: Re: anyone else seen an increase in sunrpc scans these days?
> I strongly recommend downloading, building and running PortSentry from
> http://www.psionic.com/abacus/portsentry/
>
> I have run it with great success on FreeBSD, Linux and Solaris.
>
> --Nathan
>
>
>
> Digital Overdrive wrote:
> >
> > [requoted]
> >
> > Cristian Dumitrescu wrote:
> > > On Mon, 15 Jan 2001, Alex Popa wrote:
> > >
> > > > In the last five days, the port scans to my entire class C have
dramatically
> > > > increased, from one per two days on average, to four yesterday and
six today.
> > > >
> > > > Is there a new exploit around, or is there some sort of new worm out
there?
> > > >
> > > > I might just be paranoid, but here are the addreses that have been
looking
> > > > for port 111 in the last 26 hours:
> > > >
> > > > 24.26.121.156
> > > > 24.168.66.119
> > > > 64.31.226.156
> > > > 142.169.227.102
> > > > 193.226.15.15
> > > > 211.218.144.11
> > >
> > > Hey
> > > I've been experiencing the same kind of scans in the last 2 weeks,
with
> > > increased density in the last days, from these ip addreses:
> > >
> > > 211.120.63.136
> > > 213.154.132.122
> > > 210.205.6.215
> > > 24.114.48.24
> > > 62.83.125.82
> > > 193.231.199.4
> > > 193.40.223.66
> > > 65.3.3.83
> > > 193.230.227.234
> >
> > Just one question: How do you detect these scans ?
> > I can't find anything in my logs, but I don't have programs like
> > portsentry running. What can you (all) advice me ?
> >
> > Kind regards,
> >
> > Jan
> >
> > --
> > .~. Dutch Security Information Network : http://www.dsinet.org
> > /V\ news:alt.hack.nl FAQ : http://www.dsinet.org/hackfaq
> > /( )\ digioverdsinet.org / digiovercotse.com
> > ^^-^^ "Microsoft: We make virii work!"
>
> --
>
>
> [Your mouse moved. Windows NT will be restarted for your changes to take
effect.]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]