[Snort-users] XNS or RPC

Max Vision vision at ...4...
Tue Mar 13 01:20:57 EST 2001


Hi,

Those packets are to sunrpc/portmap/port111, the "udp 56" from tcpdump
means that the payload size of the udp packet is 56.  The destination port
number (111) can also be seen in your packet trace as "006f". Further,
these are queries for rpc status (100024), probably checking for the
presence of rpc.statd to exploit it...

It's very interesting that you get a malformed icmp packet first - this
may be a fingerprinting technique to speed scanning for vulnerable statd?

Max

On Mon, 12 Mar 2001, Peter Charbonneau wrote:
> I see the following packets followed by a Large ICMP Packet ....  In
> one database I looked in, UDP port 56 is XNS-AUTH, but tcpdump says
> sunrpc.  Has anybody seen this kind of thing, or is this just another
> mapping scheme (or some such)?
>
> bash-2.04# tcpdump -r snort-0312\@1200.log -X host 200.131.250.24 | more
> 12:00:56.913056 dcs.ufla.br.737 > francis.williams.edu.sunrpc:  udp 56
>   0000: 4500 0054 92f1 0000 3211 a55c c883 fa18  E..T....2..\....
>   0010: 89a5 040a 02e1 006f 0040 3990 1728 4da6  .......o. at ...1536...(M.
>   0020: 0000 0000 0000 0002 0001 86a0 0000 0002  ................
>   0030: 0000 0003 0000 0000 0000 0000 0000 0000  ................
>   0040: 0000 0000 0001 86b8 0000 0001 0000 0011  ................
>   0050: 0000 0000                                ....
>





More information about the Snort-users mailing list