[Snort-users] rpc.statd

LEFEVRE David David.LEFEVRE at ...2178...
Wed Jun 6 03:44:42 EDT 2001


You should look for Cybercop or Nessus Security scanning tool.
I use it to improve security of my net, it runs well. It also has a
"nmap plugin".

For an exemple :
Vulnerability found on port unknown (669/tcp)

The remote statd service could be brought down
with a format string attack - it now needs to
be restarted manually.

This means that an attacker may execute arbitrary
code thanks to a bug in this daemon.

Solution : upgrade to the latest version of rpc.statd
Risk factor : High
see CVE : CVE-2000-0666 (http://cgi.nessus.org/cve.php3?cve=CVE-2000-0666)

Best regards,
David

skop d'skop wrote:

> hi guys,
> come across this alert lately for my network
>
> [**] IDS10 - RPC - portmap-request-rstatd [**]
>
> May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
> May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP
> May 20 11:25:15 A.B.C.80:3351 -> X.Y.Z.12:111 SYN ******S*
> May 20 11:25:15 A.B.C.80:3352 -> X.Y.Z.13:111 SYN ******S*
> May 20 11:25:16 208.131.80.80:727 -> X.Y.Z.13:111 UDP
>
> and i'm wondering what kind of scanning / tool that trigger this alert.
>
> i 've done with #rpcinfo -p hostname and #nmap -sU -sR  hostname , yet no similiar output.
>
> -skop
> ___________________________________________________________________________
> Visit http://www.visto.com/info, your free web-based communications center.
> Visto.com. Life on the Dot.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
David LEFEVRE
CARDIF - Architecture et Sécurité Opérationnelle
david.lefevre at ...2178... - Tél : 01 41 42 76 63


**********************************************************************
L'intégrité de ce message n'étant pas assurée sur Internet,
CARDIF ne peut être tenu responsable de son contenu.
Si vous n'êtes pas destinataire de ce message confidentiel,
Merci de le détruire et  d'avertir immédiatement l'expediteur.

The integrity of this message cannot be guaranteed on the
Internet. CARDIF can not therefore be considered responsible 
for the contents. 
If you are not the intended recipient of this confidential message,
then please delete it and notify immediately the sender.

**********************************************************************




More information about the Snort-users mailing list