|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Colin Wu (wucolin
mcmaster.ca)Date: Wed Jun 06 2001 - 11:31:21 CDT
This looks like someone looking for sunrpc portmapper, which listens on both TCPand UDP port 111.
There is nothing really magical about ports <1024. It's just a convention that "ephemeral" ports are chosen from above 1023. On Unix
boxes only the super-user (usually root) can actually open a source port <1024, but on Windows and DOS boxes (and probably Macintosh)
nothing prevents it.
skop d'skop wrote:
> Thanks David,
> But what I wonder this pattern.
> May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
> May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP
>
> First it looks for SYN ( which is TCP Flag) then it looks for UDP Protocol. For UDP, the source port is below < 1024.
>
> Plus is there anything abt source port < 1024 ( isn't that abnormal ?) scanning to some destination to destination port < 1024 (normal)
>
> Thanks
> -skop
>
> -----Original Message-----
> From: LEFEVRE David David.LEFEVREcardif.fr
> Sent: Wed, 06 Jun 2001 09:44:42 +0200
> To: skopvisto.com
> CC: snort-userslists.sourceforge.net
> Subject: Re: [Snort-users] rpc.statd
>
> You should look for Cybercop or Nessus Security scanning tool.
> I use it to improve security of my net, it runs well. It also has a
> "nmap plugin".
>
> For an exemple :
> Vulnerability found on port unknown (669/tcp)
>
> The remote statd service could be brought down
> with a format string attack - it now needs to
> be restarted manually.
>
> This means that an attacker may execute arbitrary
> code thanks to a bug in this daemon.
>
> Solution : upgrade to the latest version of rpc.statd
> Risk factor : High
> see CVE : CVE-2000-0666 (http://cgi.nessus.org/cve.php3?cve=CVE-2000-0666)
>
> Best regards,
> David
>
> skop d'skop wrote:
>
> > hi guys,
> > come across this alert lately for my network
> >
> > [**] IDS10 - RPC - portmap-request-rstatd [**]
> >
> > May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
> > May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP
> > May 20 11:25:15 A.B.C.80:3351 -> X.Y.Z.12:111 SYN ******S*
> > May 20 11:25:15 A.B.C.80:3352 -> X.Y.Z.13:111 SYN ******S*
> >
> > and i'm wondering what kind of scanning / tool that trigger this alert.
> >
> > i 've done with #rpcinfo -p hostname and #nmap -sU -sR hostname , yet no similiar output.
> >
> > -skop
> > ___________________________________________________________________________
> > Visit http://www.visto.com/info, your free web-based communications center.
> > Visto.com. Life on the Dot.
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-userslists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> David LEFEVRE
> CARDIF - Architecture et Sécurité Opérationnelle
> david.lefevrecardif.fr - Tél : 01 41 42 76 63
>
> ___________________________________________________________________________
> Visit http://www.visto.com/info, your free web-based communications center.
> Visto.com. Life on the Dot.
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__ _ _ Network Analyst / ) // ' ) / Computing & Information Services / __|/ o ____ / / / . . McMaster University (__/ (_) \_<_/ / <_ (_(_/ (_/_ (905)525-9140 ext 24050 http://netman.McMaster.CA
_______________________________________________ Snort-users mailing list Snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]