Ok.... so after checking CERT, I've found there are well known
exploits of rpc.statd, and that I'm probably being "Ramen"
scanned in all likelihood.
Since I've got the latest and greatest on the machine, I'm set.
Now, I need to see why I'm not getting hits on my firewall logs
for the FTP service scan which is associated with it... I THOUGHT
I turned off FTP (it's not wu_ftp even then) since it wasn't needed,
I guess I'll have to double check and ensure it IS shutdown.
Thanks!
Bill Ward
-----Original Message-----
From: Rick Warner [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 17, 2001 3:43 PM
To: '[EMAIL PROTECTED]'
Subject: Re: Port Scan on Port 111
111 is the door to all the Portmapper services, and the one of greatest
current interest is rpc.statd. Look at www.cert.org and search for
rpc.statd. There are known bugs in some versions that allow a root
compromise. The recent 'Linux worms', e.g., Ramen and Lion, use the
rpc.statd vulnerability as one of the points of entry. As long as you have
it blocked you should be OK.
- rick warner -
On Tue, 17 Apr 2001, Ward William E DLDN wrote:
> Hey folks, I'm getting portscanned constantly on tcp Port Scanned
> on Port 111 on a machine I have as a firewall.
>
> /etc/services lists that as sunrpc 111/tcp portmapper (RPC 4.0
portmapper).
>
> Ok... it's not open that I can tell, so I'm not in danger... but I find
> it curious that's the port everyone wants to handle.
>
> Anyone know what well known Trojan/backdoor/virus/whatever uses 111,
> or what well known exploit on the sunrpc exists?
>
> Thanks!
>
> Bill Ward
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
