[Snort-users] rpc.statd

Colin Wu wucolin at ...2181...
Wed Jun 6 12:31:21 EDT 2001


This looks like someone looking for sunrpc portmapper, which listens on both TCPand UDP port 111.

There is nothing really magical about ports <1024.  It's just a convention that "ephemeral" ports are chosen from above 1023.  On Unix
boxes only the super-user (usually root) can actually open a source port <1024, but on Windows and DOS boxes (and probably Macintosh)
nothing prevents it.

skop d'skop wrote:

> Thanks David,
> But what I wonder this pattern.
> May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
> May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP
>
> First it looks for SYN ( which is TCP Flag) then it looks for UDP Protocol. For UDP, the source port is below < 1024.
>
> Plus is there anything abt source port < 1024 ( isn't that abnormal ?) scanning to some destination to destination port < 1024 (normal)
>
> Thanks
> -skop
>
> -----Original Message-----
> From:    LEFEVRE David David.LEFEVRE at ...2178...
> Sent:    Wed, 06 Jun 2001 09:44:42 +0200
> To:      skop at ...2175...
> CC:      snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] rpc.statd
>
> You should look for Cybercop or Nessus Security scanning tool.
> I use it to improve security of my net, it runs well. It also has a
> "nmap plugin".
>
> For an exemple :
> Vulnerability found on port unknown (669/tcp)
>
> The remote statd service could be brought down
> with a format string attack - it now needs to
> be restarted manually.
>
> This means that an attacker may execute arbitrary
> code thanks to a bug in this daemon.
>
> Solution : upgrade to the latest version of rpc.statd
> Risk factor : High
> see CVE : CVE-2000-0666 (http://cgi.nessus.org/cve.php3?cve=CVE-2000-0666)
>
> Best regards,
> David
>
> skop d'skop wrote:
>
> > hi guys,
> > come across this alert lately for my network
> >
> > [**] IDS10 - RPC - portmap-request-rstatd [**]
> >
> > May 30 11:25:15 A.B.C.80:3348 -> X.Y.Z.9:111 SYN ******S*
> > May 30 11:25:16 A.B.C.80:726 -> X.Y.Z.9:111 UDP
> > May 20 11:25:15 A.B.C.80:3351 -> X.Y.Z.12:111 SYN ******S*
> > May 20 11:25:15 A.B.C.80:3352 -> X.Y.Z.13:111 SYN ******S*
> >
> > and i'm wondering what kind of scanning / tool that trigger this alert.
> >
> > i 've done with #rpcinfo -p hostname and #nmap -sU -sR  hostname , yet no similiar output.
> >
> > -skop
> > ___________________________________________________________________________
> > Visit http://www.visto.com/info, your free web-based communications center.
> > Visto.com. Life on the Dot.
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> David LEFEVRE
> CARDIF - Architecture et Sécurité Opérationnelle
> david.lefevre at ...2178... - Tél : 01 41 42 76 63
>
> ___________________________________________________________________________
> Visit http://www.visto.com/info, your free web-based communications center.
> Visto.com. Life on the Dot.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--

   __     _             _            Network Analyst
  /  )   //            ' )   /       Computing & Information Services
 /    __|/  o ____      / / / . .    McMaster University
(__/ (_) \_<_/ / <_    (_(_/ (_/_    (905)525-9140 ext 24050
                                     http://netman.McMaster.CA






More information about the Snort-users mailing list