RE: increase in scans for RPC
From: Dan Irwin (dan@jackies.com.au)Date: 03/21/02
- Previous message: jlewis@lewis.org: "Re: ORBZ shut down"
- Maybe in reply to: Todd Suiter: "increase in scans for RPC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Dan Irwin <dan@jackies.com.au> To: "'Todd Suiter'" <todd@s4r.com>, incidents@securityfocus.com Date: Thu, 21 Mar 2002 10:28:31 +1000
I have noticed an increase in RPC scanning.
The vast mojority of the machines probing me appear to be default
installations of Redhat Linux 6.2 on Asian Networks.
I set up a honeypot to try to catch some of this traffic. Within 6 hours of
going online, my honeypot had an RPC scanning worm. The worm (Whos name i do
not know) lives in /dev/ida/.inet/, and installs a modified ps (among
others), scans a class A for sunrpc servers, and puts the ethernet interface
into promiscuous mode to sniff passwords with linsniffer. I believe the worm
exploits the rpc.statd service included with rh6.2.
A Quick search on google reveals this worm has been seen before, so its
nothing new :)
Dan.
-- Dan Irwin - Systems Administrator Jackie's Wholesale Nurseries Pty Ltd Email: dan@jackies.com.au Phone: 07 3888 2481 Fax: 07 3888 2530 Postal: 10 Gleeson Road Burpengary Queensland 4505 Email: info@jackies.com.au Web: http://www.jackies.com.au-----Original Message----- From: Todd Suiter [mailto:todd@s4r.com] Sent: Wednesday, 20 March 2002 10:12 AM To: incidents@securityfocus.com Cc: Todd Suiter Subject: increase in scans for RPC
Folks,
We've seen a dramatic increase in syn scans against tcp 111, went from a couple a week to over 11,000 in the past week. Has anyone else seen an increase like this? Is there yet another new tool out, or is this looking for one of the older 'sploits? is this rpc.cmsd?
t
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: jlewis@lewis.org: "Re: ORBZ shut down"
- Maybe in reply to: Todd Suiter: "increase in scans for RPC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
